ChrootDirectory per SSH Subsystem?
Ángel González
keisial at gmail.com
Fri Jan 20 08:38:07 EST 2012
El 19/01/12 17:16, John Olsson M wrote:
>> Place a couple of wrappers around the commands, doing the chroot for you?
> Hmmm. I'm not sure I follow you. Our command shell (which is not like a standard *nix shell) needs to operate in a non-chrooted environment. But the file system shown by the SFTP subsystem needs to operate in a chroot:ed environemnt and only expose that subset of directories and files.
(...)
What I was proposing was that you would have something like:
Subsystem sftp /usr/local/libexec/cliss-sftp-server
With cliss-sftp-server doing something like:
mkdir -p "/tmp/cliss-mount-$USER"
test -d "/tmp/cliss-mount-$USER/bin" || sudo -u "$USER" cliss.mount none
"/tmp/cliss-mount-$USER" || exit 1
exec chroot --userspec="$USER" "/tmp/cliss-mount-$USER"
/usr/libexec/ssh/sftp-server
(it can't be implemented as a shell script, since you would want to make
it suid, but you get the idea)
More information about the openssh-unix-dev
mailing list