sftp-server: add a flag to call unveil on starting directory
Damien Miller
djm at mindrot.org
Fri Jan 30 09:16:13 AEDT 2026
On Thu, 29 Jan 2026, s-k2 at caipora.net wrote:
> On Thu, Jan 29, 2026 at 09:35:08AM +1100, Damien Miller wrote:
> > We could do something quite similar for linux using landlock
> > LANDLOCK_RULE_PATH_BENEATH.
>
> I had hopes to bring that feature into the OpenBSD sftp-server without
> having to consider other platforms. But well, I made up a first draft
> of a patch for landlock support in portable OpenSSH.
oh, my comment wasn't intended to suggest that you should be the one
to do this. Thanks though.
> This is rough first version, could you please give me some input:
>
> Does that follow the code guidelines/code organization rules?
>
> Things to consider:
> - Landlock has subtile differences. It leaks the information if a file
> exists (if the user has access to it) even if restrictions are
> enabled. I don't know a way around that. unveil doesn't leak that
> information, it just returns EACCES.
> - I need to fix the configure.am file, it currently just checks for
> the presence of the header. But I have to check if the syscall is
> defined as normal function (which landlock.h doesn't do yet, but
> this could lead to compile errors in the future)
> - I need to do more testing, I just compiled it and tried a few file
> operations
> - I haven't adjusted the man page yet...
>
> Feel free to comment on the patch below, I will try to incorporate
> that. But for now I need to know if that patch is the right direction.
I need to think about this a bit more, but it probably needs some
finessing.
In particular, completely breaking the home-directory extension
breaks a lot of common scp cases, but that could potentially be
solved by caching the struct passwd for the user before the unveil.
There might be other such corner cases (which is why I need to think
more), but I think this is a potentially useful change.
> To be honest, I have no clue how to make that work with Capsicum,
> maybe FreeBSD support could be delayed...
It's not necessary to worry about every platform. The community
often contributes features where the maintainers are lacking :)
-d
More information about the openssh-unix-dev
mailing list