scp -t . - possible idea for additional parameter

Jefferson Ogata Jefferson.Ogata at
Thu Oct 11 04:07:49 EST 2007

On 10/10/07 16:30, Larry Becke wrote:
>> 1. Why do you think this change provides effective security?
>    Specifying the starting directory, and not allowing the user to navigate above it effectively locks the user within that directory. 

Yes, and...? What does that accomplish in terms of security,
specifically? I.e. what is the specific threat you are trying to protect

> chroot'ing should not be used as a security method, that's been clearly stated time and again.

chroot *can* be used as a security method, if done correctly, just as
virtualization *can* be used, along with any other mechanism that
effectively confines the domain of a process's activity, preferably at
the kernel level where there are fewer paths for circumvention.

Combine chroot with segregated filesystems mounted with combinations of
ro, nosuid, noexec, nodev and you can have very effective limits on user

Jefferson Ogata <Jefferson.Ogata at>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list