chroot'd SFTP

Damien Miller djm at mindrot.org
Mon Jul 30 20:48:55 EST 2007


On Sun, 29 Jul 2007, Richard Storm wrote:

> Thanks for these 3rd party hacks! I don't trust them.
> There must be such feature in openssh out of box.
> 
> So the most secure/easyer method of giving sftp access to porn collection is:
> Damiens sftp-server chroot patch, which I hope to see in openssh one day :)
> http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2

The big problem with that patch is that it effectively allows non-root
users to chroot to a directory of their choice.

The only way I have come up with to get around this problems is to arrange
sshd to execute subsystems with an additional supplementary group (say
"_sshd_subsys") and to make the setuid sftp-server mode 0710, but I haven't
properly thought through whether this will actually solve all the problems
yet.

In the meantime please treat my patch is unsupported, potentially dangerous
code.

-d


More information about the openssh-unix-dev mailing list