Feature request: allow chrooted directory writable by others

Ramón García ramon.garcia.f at gmail.com
Mon Jul 15 20:24:30 AEST 2019


Hello, I am trying to setup a file server using the SFTP protocol with OpenSSH.

I am in trouble because sshd refuses to chroot to a directory that is
writable by users other than the owner.  I guess that this is to
prevent someone else from creating a .ssh/authorized_keys file and
impersonate the user. But we have configured an alternative
AuthorizedKeysFile. I also understand that a chroot user needs a
layout for login (/bin/bash, ...) or for executing the external
sftp-server, and that nobody should be allowed to change it. But for
an SFTP server that only serves files, using the internal-sftp server,
that should not be a problema.

Note that this is extremely restrictive in practice. Even if one is
very careful and only allows specific users to write (with acls)
openssh refuses to chroot to that directory. And when one has to work
with a speficied directory layout, required for compatibility with
existing applications, it makes it very hard to implement a sftp file
server.

I would like to  contribute a patch with an option
StrictModesChrootDirectory . That option could be document with the
reasons when it should not be used.

Best regards.


More information about the openssh-unix-dev mailing list