request for feature

Dirk.Lammers at Bertelsmann.de Dirk.Lammers at Bertelsmann.de
Wed Apr 30 21:09:10 EST 2008


Hi Damien,

thank you very much for your answer.

I have an existing filesystem structure with 500, partly nested, users
and for each user I'd to insert a 'chroot base'. This will lead to a
very strange directory structure like 

/chroot/u/uhome
/chroot/u1/u1home/u2/u2home/u3/u3home
/chroot/u1/u1home/u4/u4home
....


Doesn't look so good to me.


I don't understand what nasty things a user can do to his effective /
except destroying his own environment. And that would be a problem to
the user an not to the system.
A switch to enable non-roots chroots would be nice and the sysadmin
should decide if he wants to enable it.

So please add this feature

Depart from my request for feature I'd like to thank you very much for
your work on openssh which proofs the power and value of free software.


kind regards
Dirk 


-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org] 
Sent: Mittwoch, 30. April 2008 12:07
To: Lammers, Dirk, NMI-DC
Cc: openssh-unix-dev at mindrot.org
Subject: Re: request for feature

On Tue, 29 Apr 2008, Dirk.Lammers at Bertelsmann.de wrote:

> 
> Dear developers,
> 
> I need the feature of separately jailed,  user writeable and user 
> owned home dirs very badly because I have an SFTP server with 500 
> users who are partly nested could you please add a feature to set non 
> root chroots with the %h
> option ?   Otherwise I have to rewrite the chroot patch for 4.7p1 :-(

ChrootDirectory supports this right now.

Just create one more directory under the chroot for the user's home.
E.g. have your users home directory set as "/home", your ChrootDirectory
as "/chroot/%u".

sshd will chroot to /chroot/[user] and then chdir to /home relative to
the chroot path. 

We will not be relaxing the permission checks, they are there for good
reasons. There are lots of nasty things a user can do if they can write
to what is effectively /

-d


More information about the openssh-unix-dev mailing list