djm at mindrot.org
Mon Jul 30 20:48:55 EST 2007
On Sun, 29 Jul 2007, Richard Storm wrote:
> Thanks for these 3rd party hacks! I don't trust them.
> There must be such feature in openssh out of box.
> So the most secure/easyer method of giving sftp access to porn collection is:
> Damiens sftp-server chroot patch, which I hope to see in openssh one day :)
The big problem with that patch is that it effectively allows non-root
users to chroot to a directory of their choice.
The only way I have come up with to get around this problems is to arrange
sshd to execute subsystems with an additional supplementary group (say
"_sshd_subsys") and to make the setuid sftp-server mode 0710, but I haven't
properly thought through whether this will actually solve all the problems
In the meantime please treat my patch is unsupported, potentially dangerous
More information about the openssh-unix-dev