Questions about ChrootDirectory

Mike Kelly mike at pair.com
Tue Feb 1 07:30:19 EST 2011


My apologizes if I'm asking on the wrong list, but where might be the
right place to find answers to my questions?

On Mon, 17 Jan 2011 10:40:58 -0500
Mike Kelly <mike at pair.com> wrote:

> Hello,
> 
> I'm aware of the fact that ChrootDirectory requires that the target
> directory is root-owned, and I think I've mostly understood why that
> is necessary, at least within the context of someone who has full
> shell access. However, I am wondering if that possibility for
> privilege escalation still exists with a configuration like this:
> 
> Match Group sftp
>   ForceCommand internal-sftp
>   ChrootDirectory %h
> 
> Assuming some patch were applied to openssh to allow ChrootDirectory
> to work here on a non-root-owned home directory, wouldn't this mean
> that any user in the sftp group would only be able to manipulate files
> within their home directory, and nothing else? Is there some potential
> for privilege escalation or execution of commands that I've missed?
> 
> And, just to confirm, am I correct in understanding that scp will not
> work with this configuration, since scp wants a shell?
> 
> Thanks.
> 



-- 
Mike Kelly


More information about the openssh-unix-dev mailing list