Questions about ChrootDirectory

Mike Kelly mike at pair.com
Tue Jan 18 02:40:58 EST 2011


Hello,

I'm aware of the fact that ChrootDirectory requires that the target
directory is root-owned, and I think I've mostly understood why that is
necessary, at least within the context of someone who has full shell
access. However, I am wondering if that possibility for privilege
escalation still exists with a configuration like this:

Match Group sftp
  ForceCommand internal-sftp
  ChrootDirectory %h

Assuming some patch were applied to openssh to allow ChrootDirectory to
work here on a non-root-owned home directory, wouldn't this mean that
any user in the sftp group would only be able to manipulate files
within their home directory, and nothing else? Is there some potential
for privilege escalation or execution of commands that I've missed?

And, just to confirm, am I correct in understanding that scp will not
work with this configuration, since scp wants a shell?

Thanks.

-- 
Mike Kelly


More information about the openssh-unix-dev mailing list