sftp-server: add a chroot option
Eloi Benoist-Vanderbeken
eloi.benoist-vanderbeken at synacktiv.com
Wed Feb 25 22:31:53 AEDT 2026
Dear list,
A bit like the "sftp-server: add a flag to call unveil on starting directory" thread, I would like to add an option to chroot the sftp-server.
I am well aware that I could use ChrootDirectory with internal-sftp but that doesn't work for me. I need to setup the sftp server environment in a way that is incompatible with internal-sftp (I'm using environment variables configured in the authorized_keys file to restrict server's view of the FS).
I'm launching my patched sftp-server from an unprivileged namespace in Linux so running as "root" is not a problem nor a security concern. Moreover, chroot should also work on all openssh supported systems (to the best of my knowledge).
I have created a very simple patch that works for me (attached to this e-mail), it might not be ready to be merged but I'll be happy to help get there :)
I've opened an issue on the bugtracker (https://bugzilla.mindrot.org/show_bug.cgi?id=3917) but the mailing list seems to be a better place to discuss this.
Kind regards,
--
Eloi Benoist-Vanderbeken
Synacktiv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp-server-chroot.patch
Type: text/x-patch
Size: 1938 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20260225/57eade51/attachment.bin>
More information about the openssh-unix-dev
mailing list