Feature request: allow chrooted directory writable by others
Nico Kadel-Garcia
nkadel at gmail.com
Tue Jul 16 17:19:39 AEST 2019
On Mon, Jul 15, 2019 at 6:44 AM David Newall <openssh at davidnewall.com> wrote:
>
> On 15/7/19 7:54 pm, Ramón García wrote:
> > I am trying to setup a file server using the SFTP protocol with OpenSSH.
> >
> > I am in trouble because sshd refuses to chroot to a directory that is
> > writable by users other than the owner.
>
> I doubt that you need the root to be writeable. Put your files inside a
> globally writeable sub-directory. This allows you to have a dev, bin,
> lib, and whatever, within your chroot, without leaving yourself open
> someone tearing you a new one.
Being ale to write to root means being able to replace /etc/ and
/tmp/, and /proc, with non-root owned directories. It's very
dangerous.
Most of us accept being able to write to "/ome/username", where
"/home" is owned by root and prevents the deletion or relocation of
"/home/username", as sufficient. Or we accept a shared sftp workspace,
such as "/var/projectname"
> If somebody says, "but I need to write to root", your go-to answer is
> "no, you don't; and get off my lawn."
>
> Also, look at rssh.
rssh is not being maintained, sadly. If someone wants hooks for that,
I publish some updated chroot cage building tools for it, which I
built up for an employer who used a public scp and sftp upload site
rather than the FTPS site I recommended for them, which have been much
easier to set up.
More information about the openssh-unix-dev
mailing list