ChrootDirectory on a per key basis

Teemu Ikonen tpikonen at gmail.com
Fri Nov 14 06:47:10 EST 2008


On Sun, Oct 26, 2008 at 5:06 PM, Teemu Ikonen <tpikonen at gmail.com> wrote:
> Damien Miller wrote:
>> No, letting users chroot to arbitrary directories introduces
>> serious security problems. Think about hard-linking /bin/su into
>> a chroot on the same filesystem where an attacker has filled in
>> a friendly /etc/passwd.
>
> OK, so adding chrootdir option to authorized keys is a bad idea.
>
> Another way to achieve my objective, which is additional sftp file access
> restrictions to connections authorized with certain keys, would be to modify
> sftp-server to accept a directory parameter. The authorized_keys could then
> have 'command="sftp-server -d /home/user/stuff"' option to restrict access
> to /home/user/stuff.

Hi again,

I implemented this in sftp-server.c, see the attached patch. The
access restriction is made by checking every received file argument
with a modified version of realpath() (named fakepath), which resolves
the given file name to a real path and fails if this path leads
outside of the directory given in the command line argument.

Comments on the patch (security and otherwise) would be very much welcome.

Teemu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: restricted-sftp.diff
Type: text/x-patch
Size: 11380 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081113/d564f1b7/attachment-0001.bin 


More information about the openssh-unix-dev mailing list