sftp-server: add a chroot option

Eloi Benoist-Vanderbeken eloi.benoist-vanderbeken at synacktiv.com
Wed Apr 1 18:01:06 AEDT 2026 

Hi list,

Any news on this? It's a pretty simple patch and it should be harmless as it is very similar to ssh ChrootDirectory option.
We can still think about the namespace option in the future but this implementation already offers a real security and usability advantage for most (all ?) of the platforms at almost no cost.

Kind regards,
-- 
Eloi Benoist-Vanderbeken
Synacktiv
+33 (0)6 67 92 63 35

-----Original Message-----
From: Eloi Benoist-Vanderbeken <eloi.benoist-vanderbeken at synacktiv.com>
To: Jochen Bern <Jochen.Bern at binect.de>, openssh-unix-dev at mindrot.org
Subject: Re: sftp-server: add a chroot option
Date: 02/26/2026 11:56:56 AM

Hi Jochen,

> If I understand correctly, you have to create a "fully equipped" chroot 
> tree (with copies of all used libraries, $CHROOT/etc/passwd and 
> $CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log 
> with the syslogd doing an extra LISTEN on it so as to have working 
> logging, yadda yadda), anyway. 

No, not at all, I call chroot when the process is initialized, so
sftp-server already had the opportunity to open whatever it needs and now 
only sees what the sftp user should be able to access (and not the 
sftp-server executable nor /etc).

It's almost the same than the ChrootDirectory option with internal-sftp.
That's also why I proposed it.

Kind regards,
-- 
Eloi Benoist-Vanderbeken
Synacktiv

-----Original Message-----
From: Jochen Bern <Jochen.Bern at binect.de>
To: openssh-unix-dev at mindrot.org
Subject: Re: sftp-server: add a chroot option
Date: 02/26/2026 10:27:09 AM

Am 25.02.26 um 12:31 schrieb Eloi Benoist-Vanderbeken:
> [...] I would like to add an option to chroot the sftp-server.
> I am well aware that I could use ChrootDirectory with internal-sftp
> but that doesn't work for me. [...]

If I understand correctly, you have to create a "fully equipped" chroot 
tree (with copies of all used libraries, $CHROOT/etc/passwd and 
$CHROOT/etc/group for proper "ls -l" output, maybe a $CHROOT/dev/log 
with the syslogd doing an extra LISTEN on it so as to have working 
logging, yadda yadda), anyway. If so, wouldn't wrapping the (unchanged) 
sftp-server executable/process with the OS' chroot(1) command do the 
trick already?

Kind regards,

More information about the openssh-unix-dev mailing list