sftp-server: add a flag to call unveil on starting directory
Damien Miller
djm at mindrot.org
Thu Jan 29 09:35:08 AEDT 2026
On Wed, 28 Jan 2026, Chris Rapier wrote:
> The main objection I can see to this is that it might require no small amount
> work on the portable branch to have this in other OSes as unveil seems to be
> limited to OpenBSD.
We could do something quite similar for linux using landlock
LANDLOCK_RULE_PATH_BENEATH.
OSX doesn't seem to expose anything we could use; their entitlements
system requires signed binaries.
For FreeBSD, this is potentially possible using Capsicum though there
might be an API impedence mismatch compared to unveil/landlock.
-d
More information about the openssh-unix-dev
mailing list