Questions about ChrootDirectory
Damien Miller
djm at mindrot.org
Tue Feb 1 10:29:20 EST 2011
the considerations relating to root-ownership of the chrootdirectory have
been discussed quite extensively on this list before, please check the
archives.
On Mon, 31 Jan 2011, Mike Kelly wrote:
> My apologizes if I'm asking on the wrong list, but where might be the
> right place to find answers to my questions?
>
> On Mon, 17 Jan 2011 10:40:58 -0500
> Mike Kelly <mike at pair.com> wrote:
>
> > Hello,
> >
> > I'm aware of the fact that ChrootDirectory requires that the target
> > directory is root-owned, and I think I've mostly understood why that
> > is necessary, at least within the context of someone who has full
> > shell access. However, I am wondering if that possibility for
> > privilege escalation still exists with a configuration like this:
> >
> > Match Group sftp
> > ForceCommand internal-sftp
> > ChrootDirectory %h
> >
> > Assuming some patch were applied to openssh to allow ChrootDirectory
> > to work here on a non-root-owned home directory, wouldn't this mean
> > that any user in the sftp group would only be able to manipulate files
> > within their home directory, and nothing else? Is there some potential
> > for privilege escalation or execution of commands that I've missed?
> >
> > And, just to confirm, am I correct in understanding that scp will not
> > work with this configuration, since scp wants a shell?
> >
> > Thanks.
> >
>
>
>
> --
> Mike Kelly
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list