sftp-server: add a chroot option
Eloi Benoist-Vanderbeken
eloi.benoist-vanderbeken at synacktiv.com
Thu Feb 26 21:56:56 AEDT 2026
Hi Jochen,
> If I understand correctly, you have to create a "fully equipped" chroot
> tree (with copies of all used libraries, $CHROOT/etc/passwd and
> $CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log
> with the syslogd doing an extra LISTEN on it so as to have working
> logging, yadda yadda), anyway.
No, not at all, I call chroot when the process is initialized, so
sftp-server already had the opportunity to open whatever it needs and now
only sees what the sftp user should be able to access (and not the
sftp-server executable nor /etc).
It's almost the same than the ChrootDirectory option with internal-sftp.
That's also why I proposed it.
Kind regards,
--
Eloi Benoist-Vanderbeken
Synacktiv
-----Original Message-----
From: Jochen Bern <Jochen.Bern at binect.de>
To: openssh-unix-dev at mindrot.org
Subject: Re: sftp-server: add a chroot option
Date: 02/26/2026 10:27:09 AM
Am 25.02.26 um 12:31 schrieb Eloi Benoist-Vanderbeken:
> [...] I would like to add an option to chroot the sftp-server.
> I am well aware that I could use ChrootDirectory with internal-sftp
> but that doesn't work for me. [...]
If I understand correctly, you have to create a "fully equipped" chroot
tree (with copies of all used libraries, $CHROOT/etc/passwd and
$CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log
with the syslogd doing an extra LISTEN on it so as to have working
logging, yadda yadda), anyway. If so, wouldn't wrapping the (unchanged)
sftp-server executable/process with the OS' chroot(1) command do the
trick already?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
More information about the openssh-unix-dev
mailing list