chroot'd SFTP
Damien Miller
djm at mindrot.org
Mon Jul 30 20:48:55 EST 2007
On Sun, 29 Jul 2007, Richard Storm wrote:
> Thanks for these 3rd party hacks! I don't trust them.
> There must be such feature in openssh out of box.
>
> So the most secure/easyer method of giving sftp access to porn collection is:
> Damiens sftp-server chroot patch, which I hope to see in openssh one day :)
> http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2
The big problem with that patch is that it effectively allows non-root
users to chroot to a directory of their choice.
The only way I have come up with to get around this problems is to arrange
sshd to execute subsystems with an additional supplementary group (say
"_sshd_subsys") and to make the setuid sftp-server mode 0710, but I haven't
properly thought through whether this will actually solve all the problems
yet.
In the meantime please treat my patch is unsupported, potentially dangerous
code.
-d
More information about the openssh-unix-dev
mailing list