sftp chroot requirements

Stephan Leemburg sleemburg at hachimitsu.nl
Sat May 2 23:05:44 AEST 2015

Hi Damien,

Thank you. I read the rationale.

Just to summarize, a user writeable chroot target is considered 
dangerous if:

1) the user has another way of gaining non-chrooted access to the system
2) is able to create hardlinks to setuid-binaries outside of the chroot tree
3) there are bugs somewhere that allow privilige escalation or remote 
execution of other programs

While all these arguments are legitimate, as can be - indeed - seen in 
CVE-2009-2904, I believe that there are also other situations.

In our setup, we have users that currently only have vsftpd chrooted 
access. Their login shell is /sbin/nologin and they do not have any 
other way of accessing the system. So for this particular setup 1 and 2 
are not applicable.

I think 3 is not related to sftp chroot only, but in general.

So, in my opinion there are use cases that would not compromise security 
by having the last component of the chroot sftp directory be owned by 
the user.
If this could be a configurable option, then administrators that want to 
use such a setup could do so by explicitly allowing it.

Is that something you could live with? If so, can I create a patch and 
send it in?

Again, thank you for the pointers. I had trouble finding them with just 
plain search engine lookups.

Kind regards,

On 02-05-15 07:14, Damien Miller wrote:
> On Fri, 1 May 2015, Stephan Leemburg wrote:
>> I did not find any clues when 'googling' and could not find any search options
>> on the archives.
> http://marc.info/?t=122641302700006&r=1&w=2
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list