ChrootDirectory on a per key basis

Teemu Ikonen tpikonen at
Sun Jul 5 04:17:44 EST 2009


Some months ago I posted a patch to sftp-server which allows
restriction of the sftp access to a subdirectory with a command line
parameter (see below).

I've now put the code for the patched sftp-server to gitorious for
people who are interested (if any :). The project is at and also contains a branch for
Debian packaging, for easy installation to Debian and Ubuntu.


On Thu, Nov 13, 2008 at 9:47 PM, Teemu Ikonen<tpikonen at> wrote:
> On Sun, Oct 26, 2008 at 5:06 PM, Teemu Ikonen <tpikonen at> wrote:
>> Damien Miller wrote:
>>> No, letting users chroot to arbitrary directories introduces
>>> serious security problems. Think about hard-linking /bin/su into
>>> a chroot on the same filesystem where an attacker has filled in
>>> a friendly /etc/passwd.
>> OK, so adding chrootdir option to authorized keys is a bad idea.
>> Another way to achieve my objective, which is additional sftp file access
>> restrictions to connections authorized with certain keys, would be to modify
>> sftp-server to accept a directory parameter. The authorized_keys could then
>> have 'command="sftp-server -d /home/user/stuff"' option to restrict access
>> to /home/user/stuff.
> Hi again,
> I implemented this in sftp-server.c, see the attached patch. The
> access restriction is made by checking every received file argument
> with a modified version of realpath() (named fakepath), which resolves
> the given file name to a real path and fails if this path leads
> outside of the directory given in the command line argument.
> Comments on the patch (security and otherwise) would be very much welcome.
> Teemu

More information about the openssh-unix-dev mailing list