ChrootDirectory per SSH Subsystem?

John Olsson M john.m.olsson at ericsson.com
Fri Jan 20 18:29:40 EST 2012


Thank you! I'll look into your suggestion to see if it is good-enough short-term solution for us or not.

-----Original Message-----
From: Ángel González [mailto:keisial at gmail.com] 
Sent: den 19 januari 2012 22:38
To: John Olsson M
Cc: 'openssh-unix-dev at mindrot.org'
Subject: Re: ChrootDirectory per SSH Subsystem?

El 19/01/12 17:16, John Olsson M wrote:
>> Place a couple of wrappers around the commands, doing the chroot for you?
> Hmmm. I'm not sure I follow you. Our command shell (which is not like a standard *nix shell) needs to operate in a non-chrooted environment. But the file system shown by the SFTP subsystem needs to operate in a chroot:ed environemnt and only expose that subset of directories and files.
(...)
What I was proposing was that you would have something like:
Subsystem sftp /usr/local/libexec/cliss-sftp-server

With cliss-sftp-server doing something like:
mkdir -p "/tmp/cliss-mount-$USER"
test -d "/tmp/cliss-mount-$USER/bin" || sudo -u "$USER" cliss.mount none "/tmp/cliss-mount-$USER" || exit 1 exec chroot --userspec="$USER" "/tmp/cliss-mount-$USER" 
/usr/libexec/ssh/sftp-server

(it can't be implemented as a shell script, since you would want to make it suid, but you get the idea)



More information about the openssh-unix-dev mailing list