chroot directory ownership
Ari Saastamoinen
openssh-unix-dev at oh3mqu.pp.hyper.fi
Wed Mar 14 03:30:37 EST 2012
Angel Gonzalez wrote:
> Just one example.
> If the user is the owner of /, he could move away /etc and replace it
> with its own one, providing a /etc/passwd under its control.
>
> You may think a user-owned chroot is not a problem for your setup, and
> it may not be, or there may be a way you don't yet known (or opened by a
> config change). Having a root-owned / is *much* safer.
I think that most used configuration of this chrooting is for sftp-only
users.
With this kind of config it is not a problem if /user creates etc in his
home directory.
Match Group sftp-only
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory %h
At least documentation should have note, that this reasonable looking
configuration is not valid.
Or if devs think that this shouldn't be allowed by default. Maybe they can
add a configuration entry "TrustMeIKnowWhatIAmDoing yes" to make this
configuration possible.
(Currently I must use proftpd with sftp module, but I would
like to use opensshd so there is only one software to handle both, file
transfers and remote shells)
--
Ari Saastamoinen
More information about the openssh-unix-dev
mailing list