sftp-server: add a flag to call unveil on starting directory
Jochen Bern
Jochen.Bern at binect.de
Thu Jan 29 10:32:48 AEDT 2026
On 28/01/2026 21:54, s-k2 at caipora.net wrote:
> I would like to discuss whether it is possible to add an optional flag
> to sftp-server that uses unveil to restrict filesystem access to the
> starting directory and paths beneath it. [...] using an
> authorized_keys file like this:
>
> restrict="/usr/libexec/sftp-server -d /home/sk/music -U" MUSIC-DEV-KEY
I remember being told on this list that "sftp-server subprocess keeps
using the parent's open syslog device" is NOT an official feature, and
actually rather unexpected, of OpenSSH. (I'm using this on a
CentOS-based SFTP server to avoid creating a /dev/log in a couple
hundred chroot()ed $HOMEs and having the syslog daemon open-to-listen
them all.)
If so, and if unveil() is sufficiently similar to chroot(), this new
option would effectively hand every user a means to deny the sysadmins a
log of his activities: Just unveil() to a subtree of your choice where
no /dev/log is available.
(Also, if the maintainer of the server-side account can manhandle
/etc/passwd and /etc/group in a similar fashion, he could do interesting
misrepresentations to the client-side users in "ls -l" output.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20260129/19893fbe/attachment.p7s>
More information about the openssh-unix-dev
mailing list