ChrootDirectory on a per key basis

[Teemu Ikonen]

Hi,

Some months ago I posted a patch to sftp-server which allows
restriction of the sftp access to a subdirectory with a command line
parameter (see below).

I've now put the code for the patched sftp-server to gitorious for
people who are interested (if any :). The project is at
http://gitorious.org/jsftp-server and also contains a branch for
Debian packaging, for easy installation to Debian and Ubuntu.

Teemu


On Thu, Nov 13, 2008 at 9:47 PM, Teemu Ikonen<tpikonen at gmail.com> wrote:
> On Sun, Oct 26, 2008 at 5:06 PM, Teemu Ikonen <tpikonen at gmail.com> wrote:
>> Damien Miller wrote:
>>> No, letting users chroot to arbitrary directories introduces
>>> serious security problems. Think about hard-linking /bin/su into
>>> a chroot on the same filesystem where an attacker has filled in
>>> a friendly /etc/passwd.
>>
>> OK, so adding chrootdir option to authorized keys is a bad idea.
>>
>> Another way to achieve my objective, which is additional sftp file access
>> restrictions to connections authorized with certain keys, would be to modify
>> sftp-server to accept a directory parameter. The authorized_keys could then
>> have 'command="sftp-server -d /home/user/stuff"' option to restrict access
>> to /home/user/stuff.
>
> Hi again,
>
> I implemented this in sftp-server.c, see the attached patch. The
> access restriction is made by checking every received file argument
> with a modified version of realpath() (named fakepath), which resolves
> the given file name to a real path and fails if this path leads
> outside of the directory given in the command line argument.
>
> Comments on the patch (security and otherwise) would be very much welcome.
>
> Teemu
>