restrict file transfer in rsync, scp, sftp?

Bob Proulx bob at
Mon Nov 13 04:55:01 AEDT 2023

Carsten Andrich wrote:
> A while ago I used the following bubblewrap-based login shell to implement
> said Linux namespace and bind mount solution to give restricted shell access
> to a mostly trusted user. Using bwrap saves the perilous trouble of writing
> a safe setuid solution yourself. Could be extended by looking at
> $SSH_ORIGINAL_COMMAND to get the sftp/rsync behavior you're looking for.
> Obviously, no guarantees about its safety. For example, a "Subsystem sftp"
> directive in the sshd_config will bypass the login shell, IIRC.

This is one of those ideas that appears at first glance to be so very
different from my normal thinking such that it shakes my mental
foundations of how to look at the problem!  Which I appreciate very
much!  It is going to take me a little bit of time to process this
idea.  It's more clever than I can internalize all at once.

> (exec bwrap \
> ...
>         --file 11 /etc/passwd \
>         --file 12 /etc/group \
>         --file 13 /etc/bash.bashrc \
>         --file 14 /etc/hostname \
>         --file 15 /etc/localtime \
>         --file 16 /etc/nsswitch.conf \
>         --file 17 /etc/profile \
> ...
>     11< <(getent passwd $UID 65534) \
>     12< <(getent group $(id -g) 65534) \
>     13< <(cat /etc/bash.bashrc) \
>     14< <(cat /etc/hostname) \
>     15< <(cat /etc/localtime) \
>     16< <(cat /etc/nsswitch.conf) \
>     17< <(cat /etc/profile)

I did not realize the capability to namespace open file descriptors to
files was possible.  And here you are using it very cleverly to set up
the user accounts in the chroot.  That's very clever and very cool!

I have not been familiar with bubblewrap previously.  I see that in
the OS distribution being used that it is "new" in the grand scheme of
things and so would not have previously been available.  Which makes
this a good time to reevaluate technology and try new things.


More information about the openssh-unix-dev mailing list