chroot directory ownership
Dag-Erling Smørgrav
des at des.no
Wed Feb 22 00:13:45 EST 2012
"Dmitry V. Levin" <ldv at altlinux.org> writes:
> Most likely, this was made to ensure that the chroot directory itself is
> not writable and cannot be made writable by the user, to avoid various
> kinds of attacks.
Sure, but *which* attacks?
Currently, if I don't want sftp-only users to see eachother's home
directories, I have to have two levels of directories: /home/$USER owned
by root and /home/$USER/$USER owned by the user. Alternatively (note: I
haven't tested this) I can chmod o-rw /home so users can't ls /home but
can still access /home/$USER, but they'll be able to tell whether other
directories exist because they will get EPERM instead of ENOENT. Not a
big deal, perhaps, but wouldn't it be simpler if you could just chroot
users to their ~?
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the openssh-unix-dev
mailing list