hopefully the end of chroot patch distribution discussion

James Dennis jdennis at law.harvard.edu
Thu May 30 23:52:38 EST 2002


Hello everyone,

> > OpenSSH needs a chroot patch.
> 
> but not a /./ hack.

Yes, I agree with Markus. The /./ is fine for some environments, but not all. Something I'm hoping everyone who intends to use that patch has thought about is that if people login via other means, they are not chrooted. If you only run ssh and httpd like I do most of the systems I have that patch on, it's probably ok (the users just don't get accounts on the other systems). If you run ftp and ssh and both accept the chrooted users logins, then they won't be chrooted via ftp (it's possible, but probably not the default depending on the daemon) even though they are in ssh
.
The reason the chroot patch isn't distributed with OpenSSH, from what I understand (correct me if I'm wrong), is because the chroot should not occur in just the daemon. The chroot ideally would occur in the system itself, somewhere along the logging-in path so that the user would be chrooted in the system and would end up being chrooted regardless of how they are accessing the system. As mentioned before, trying telneting/ftp/whatever you want to the system and you will see that the chroot doesn't affect you.

However, if you feel you have a situation similar to mine where the only method of someone logging into the system is via ssh, my patch will most likely be sufficient.

Hopefully what I've just said will be enough to put a nail in the "why doesn't openssh have chrooting" discussion's coffin.

-James



More information about the openssh-unix-dev mailing list