sftp-server: add a chroot option
Damien Miller
djm at mindrot.org
Thu Feb 26 16:46:58 AEDT 2026
On Wed, 25 Feb 2026, Eloi Benoist-Vanderbeken wrote:
> Dear list,
>
> A bit like the "sftp-server: add a flag to call unveil on starting directory" thread, I would like to add an option to chroot the sftp-server.
>
> I am well aware that I could use ChrootDirectory with internal-sftp but that doesn't work for me. I need to setup the sftp server environment in a way that is incompatible with internal-sftp (I'm using environment variables configured in the authorized_keys file to restrict server's view of the FS).
>
> I'm launching my patched sftp-server from an unprivileged namespace in Linux so running as "root" is not a problem nor a security concern. Moreover, chroot should also work on all openssh supported systems (to the best of my knowledge).
Maybe for Linux a sftp-server that runs in a namespace would be more
idiomatic? Assuming a nice way to configure and customise the namespace
according to the user, etc.
Put another way: why chroot when better containment capabilities exist
via namespaces?
-d
More information about the openssh-unix-dev
mailing list