sftp chroot requirements

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat May 2 10:05:35 AEST 2015

On Fri 2015-05-01 18:23:20 -0400, Peter Stuge wrote:
> Stephan Leemburg wrote:
>> I did not find any clues when 'googling' and could not find any search 
>> options on the archives.
> Try harder: http://marc.info/?l=openssh-unix-dev

This feels kind of rude.  The OP has alreaday stated that he failed at
searching, and folks on this list seem to know the answer and not give
it to him.

This is obviously a FAQ, so we should have a clear and concise writeup
about why it is the way it is, maybe with pointers to other details if
people want more depth.

Here's a point from Jefferson Ogata:


Here's another variant (slightly different) by Roman Fiedler:


And another answer by Ángel_González:


that last thread has further discussion from Damien Miller as well.

The basic concern is that (someone correct me if i'm off-base here) when
/ is writable, pretty much any deliberate privilege-escalation mechanism
(setuid binaries is the obvious example -- are there others?) is likely
to be exploitable by whoever can write to /.  This is because most tools
designed to do limited privilege escalation limit how their increased
capabilities can be invoked by some sort of check in the filesystem,
whether that's a dynamically-linked binary starting up with a
compromised ld-linux.so.2; a modified /etc/shadow, /etc/group, or
/etc/fstab, or some other mechanism.

Perhaps a brief writeup (feel free to start from the above paragraph if
it's not horribly wrong) could be added to the FAQ so that we have
someplace concrete to point people the next time this comes up?


this seems at least as frequently-asked as question 2.4 - "Why does
OpenSSH print: Dispatch protocol error: type 20" ;)

Happy hacking,


More information about the openssh-unix-dev mailing list