Questions about ChrootDirectory
Mike Kelly
mike at pair.com
Tue Feb 1 07:30:19 EST 2011
My apologizes if I'm asking on the wrong list, but where might be the
right place to find answers to my questions?
On Mon, 17 Jan 2011 10:40:58 -0500
Mike Kelly <mike at pair.com> wrote:
> Hello,
>
> I'm aware of the fact that ChrootDirectory requires that the target
> directory is root-owned, and I think I've mostly understood why that
> is necessary, at least within the context of someone who has full
> shell access. However, I am wondering if that possibility for
> privilege escalation still exists with a configuration like this:
>
> Match Group sftp
> ForceCommand internal-sftp
> ChrootDirectory %h
>
> Assuming some patch were applied to openssh to allow ChrootDirectory
> to work here on a non-root-owned home directory, wouldn't this mean
> that any user in the sftp group would only be able to manipulate files
> within their home directory, and nothing else? Is there some potential
> for privilege escalation or execution of commands that I've missed?
>
> And, just to confirm, am I correct in understanding that scp will not
> work with this configuration, since scp wants a shell?
>
> Thanks.
>
--
Mike Kelly
More information about the openssh-unix-dev
mailing list