sftp-server: add a chroot option
Eloi Benoist-Vanderbeken
eloi.benoist-vanderbeken at synacktiv.com
Wed May 20 19:05:21 AEST 2026
Hi list,
I apologize for following up again, but I would like to know what is needed
to move this request forward. Is there anything specific preventing this
patch from being merged?
Take care,
Eloi
On Fri, Apr 10, 2026 at 4:41 PM Eloi Benoist-Vanderbeken <
eloi.benoist-vanderbeken at synacktiv.com> wrote:
> vsftpd will not do the job for us (for several reasons that I won't bother
> you with).
> Why not merge this patch?
> --
> Eloi Benoist-Vanderbeken
> Synacktiv
> +33 (0)6 67 92 63 35
>
> -----Original Message-----
> From: Nico Kadel-Garcia <nkadel at gmail.com>
> To: Dirk-Willem van Gulik <dirkx at webweaving.org>
> Cc: Eloi Benoist-Vanderbeken <eloi.benoist-vanderbeken at synacktiv.com>,
> Jochen Bern <Jochen.Bern at binect.de>, openssh-unix-dev at mindrot.org
> Subject: Re: sftp-server: add a chroot option
> Date: 04/09/2026 08:09:21 PM
>
> For most uses, don't bother. The vsftpd daemon does a quite good job
> of chroot caging FTPS, with far less overhead maintaining it.
>
> On Wed, Apr 1, 2026 at 5:16 AM Dirk-Willem van Gulik
> <dirkx at webweaving.org> wrote:
> >
> > FWIIW - would love this go in !
> >
> > And this works cleanly for me on 14.3-RELEASE (fairly trivial setup
> where there is no shell or other access).
> >
> > Dw
> >
> > > On 1 Apr 2026, at 09:01, Eloi Benoist-Vanderbeken <
> eloi.benoist-vanderbeken at synacktiv.com> wrote:
> > >
> > > Hi list,
> > >
> > > Any news on this? It's a pretty simple patch and it should be harmless
> as it is very similar to ssh ChrootDirectory option.
> > > We can still think about the namespace option in the future but this
> implementation already offers a real security and usability advantage for
> most (all ?) of the platforms at almost no cost.
> > >
> > > Kind regards,
> > > --
> > > Eloi Benoist-Vanderbeken
> > > Synacktiv
> > > +33 (0)6 67 92 63 35
> > >
> > > Hi Jochen,
> > >
> > > > If I understand correctly, you have to create a "fully equipped"
> chroot
> > > > tree (with copies of all used libraries, $CHROOT/etc/passwd and
> > > > $CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log
> > > > with the syslogd doing an extra LISTEN on it so as to have working
> > > > logging, yadda yadda), anyway.
> > >
> > > No, not at all, I call chroot when the process is initialized, so
> > > sftp-server already had the opportunity to open whatever it needs and
> now
> > > only sees what the sftp user should be able to access (and not the
> > > sftp-server executable nor /etc).
> > >
> > > It's almost the same than the ChrootDirectory option with
> internal-sftp.
> > > That's also why I proposed it.
> >
> > > Am 25.02.26 um 12:31 schrieb Eloi Benoist-Vanderbeken:
> > > > [...] I would like to add an option to chroot the sftp-server.
> > > > I am well aware that I could use ChrootDirectory with internal-sftp
> > > > but that doesn't work for me. [...]
> > >
> > > If I understand correctly, you have to create a "fully equipped" chroot
> > > tree (with copies of all used libraries, $CHROOT/etc/passwd and
> > > $CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log
> > > with the syslogd doing an extra LISTEN on it so as to have working
> > > logging, yadda yadda), anyway. If so, wouldn't wrapping the (unchanged)
> > > sftp-server executable/process with the OS' chroot(1) command do the
> > > trick already?
> > diff --git a/sftp-server.c b/sftp-server.c
> > index b98c3cd41..d7677d199 100644
> > --- a/sftp-server.c
> > +++ b/sftp-server.c
> > @@ -1888,7 +1888,8 @@ sftp_server_usage(void)
> > extern char *__progname;
> >
> > fprintf(stderr,
> > - "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
> > + "usage: %s [-ehR] [-C chroot_directory] "
> > + "[-d start_directory] [-f log_facility] "
> > "[-l log_level]\n\t[-P denied_requests] "
> > "[-p allowed_requests] [-u umask]\n"
> > " %s -Q protocol_feature\n",
> > @@ -1902,7 +1903,7 @@ sftp_server_main(int argc, char **argv, struct
> passwd *user_pw)
> > int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
> > ssize_t len, olen;
> > SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
> > - char *cp, *homedir = NULL, uidstr[32], buf[4*4096];
> > + char *cp, *homedir = NULL, *chrootdir = NULL, uidstr[32],
> buf[4*4096];
> > long mask;
> >
> > extern char *optarg;
> > @@ -1914,7 +1915,7 @@ sftp_server_main(int argc, char **argv, struct
> passwd *user_pw)
> > pw = pwcopy(user_pw);
> >
> > while (!skipargs && (ch = getopt(argc, argv,
> > - "d:f:l:P:p:Q:u:cehR")) != -1) {
> > + "d:f:l:P:p:Q:u:C:cehR")) != -1) {
> > switch (ch) {
> > case 'Q':
> > if (strcasecmp(optarg, "requests") != 0) {
> > @@ -1937,6 +1938,9 @@ sftp_server_main(int argc, char **argv, struct
> passwd *user_pw)
> > */
> > skipargs = 1;
> > break;
> > + case 'C':
> > + chrootdir = optarg;
> > + break;
> > case 'e':
> > log_stderr = 1;
> > break;
> > @@ -2022,6 +2026,16 @@ sftp_server_main(int argc, char **argv, struct
> passwd *user_pw)
> > if ((oqueue = sshbuf_new()) == NULL)
> > fatal_f("sshbuf_new failed");
> >
> > + if (chrootdir != NULL) {
> > + if (chdir(chrootdir) != 0) {
> > + fatal_f("chdir to \"%s\" failed: %s", chrootdir,
> > + strerror(errno));
> > + }
> > + if (chroot(chrootdir) != 0)
> > + fatal_f("chroot to \"%s\" failed: %s", chrootdir,
> > + strerror(errno));
> > + }
> > +
> > if (homedir != NULL) {
> > if (chdir(homedir) != 0) {
> > error("chdir to \"%s\" failed: %s", homedir,
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list