sftp-server: add a flag to call unveil on starting directory

s-k2 at caipora.net s-k2 at caipora.net
Fri Jan 30 13:27:55 AEDT 2026 

Hi Damien,

> oh, my comment wasn't intended to suggest that you should be the one
> to do this. Thanks though.

I thought that writing the landlock code would have a positive effect
on the acceptance of the OpenBSD code... ;)

> In particular, completely breaking the home-directory extension
> breaks a lot of common scp cases, but that could potentially be
> solved by caching the struct passwd for the user before the unveil.
> 
> There might be other such corner cases (which is why I need to think
> more), but I think this is a potentially useful change.

Thanks for taking care of those details. Though it is an optional
flag it shouldn't break to much existing use cases.

Honestly, the tilde/homedir handling is really mind-blowing. When
writing my patch it took me some time to find all the relevant code
paths. My current understanding is:

1. expand-path at openssh command

 (a) ~ without username

   $ scp src myuser at remote:~/dst
   $ scp src myuser at remote:~/
   $ scp src myuser at remote:~

   - these expansions are done in sftp-server.c, lines 1538-1447
   - each occurence of ~ is replaced with cwd
   - the passwd file is never read
   - changing the starting directory alters the expansion results
   - scp does a shortcut and expands on the client side
     (scp.c, lines 1310-1318)


 (b) ~myuser case

   $ scp src myuser at remote:~myuser/src
   $ scp src myuser at remote:~myuser/
   $ scp src myuser at remote:~myuser

   - done in tilde_expand() in misc.c, lines 1287-1307
   - expands to real home directory of user
   - the passwd file is always read
   - output does not change if starting directory is altered
   - ~myuser != ~ if starting directory is altered
   - useable via scp


 (c) ~otheruser

   $ scp src myuser at remote:~otheruser/src
   $ scp src myuser at remote:~otheruser/
   $ scp src myuser at remote:~otheruser

   - same code path as (b)
   - passwd file is always read to get other user's real homedir


2. home-directory command
  
   - passwd file is always read
   - different from expand-path ~ if starting directory is altered
   - not used by scp/sftp clients (have I overlooked something?)

This means that loosing access to the passwd file would break 1b and
1c (both of them can be used with scp). But caching would only help
with 1b, unless the whole passwd file is cached.

The same applies for the home-directory command, but it is not used
by scp/sftp clients.

Kind regards,
Stefan

More information about the openssh-unix-dev mailing list