chroot directory ownership

Dag-Erling Smørgrav des at des.no
Wed Feb 22 00:13:45 EST 2012


"Dmitry V. Levin" <ldv at altlinux.org> writes:
> Most likely, this was made to ensure that the chroot directory itself is
> not writable and cannot be made writable by the user, to avoid various
> kinds of attacks.

Sure, but *which* attacks?

Currently, if I don't want sftp-only users to see eachother's home
directories, I have to have two levels of directories: /home/$USER owned
by root and /home/$USER/$USER owned by the user.  Alternatively (note: I
haven't tested this) I can chmod o-rw /home so users can't ls /home but
can still access /home/$USER, but they'll be able to tell whether other
directories exist because they will get EPERM instead of ENOENT.  Not a
big deal, perhaps, but wouldn't it be simpler if you could just chroot
users to their ~?

DES
-- 
Dag-Erling Smørgrav - des at des.no


More information about the openssh-unix-dev mailing list