chroot'd SFTP

Damien Miller djm at
Mon Jul 30 20:48:55 EST 2007

On Sun, 29 Jul 2007, Richard Storm wrote:

> Thanks for these 3rd party hacks! I don't trust them.
> There must be such feature in openssh out of box.
> So the most secure/easyer method of giving sftp access to porn collection is:
> Damiens sftp-server chroot patch, which I hope to see in openssh one day :)

The big problem with that patch is that it effectively allows non-root
users to chroot to a directory of their choice.

The only way I have come up with to get around this problems is to arrange
sshd to execute subsystems with an additional supplementary group (say
"_sshd_subsys") and to make the setuid sftp-server mode 0710, but I haven't
properly thought through whether this will actually solve all the problems

In the meantime please treat my patch is unsupported, potentially dangerous


More information about the openssh-unix-dev mailing list