Jim Razmus wrote on Sun, Nov 26, 2006 at 07:41:42PM -0500: > Ingo Schwarze <[EMAIL PROTECTED]> [061125 18:51]: >> Jim Razmus wrote:
>>> Anyone have a clever hack to get sftp chroot'ed too? >> >> In my original post to this thread, i mentioned >> http://sublimation.org/scponly/wiki >> Disclaimed: I neither tested nor audited scponly. >> A port has just been submitted to ports@ (not by me). > > Sorry, I meant in conjunction with ForceCommand. And without any additional helper binary like scponly, if i understand your intention correctly? I deem that rather improbable. Your sshd(8) invokes the command with the UID of the unpriviledged user in question. In order to chroot(2) after that point, you will need to regain root priviledges. Let's take scponly as an example. When configured to chroot, scponly needs to be installed setuid root. My feeling about that is half-way between "not easy to avoid" and "somewhat scary". Attempting to do this in a simpler way, it might occur to you to hack up sshd(8), doing the chroot(2) before dropping privileges. But that alone would not even be sufficient. Typical daemons can easily chroot because they can fork(2) _without_ exec(3). But in order to start sftp-server(8), sshd(8) must fork(2) _and_ exec(3). The sequence fork, chroot, setresuid(2), exec will fail unless you put a copy of the sftp-server binary into each user's home dir. Good luck preventing your users from just replacing it with a shell. Of course that can be achieved, but it will hardly be beautiful. The other sequence fork, exec, chroot, setresuid will force you to hack up *both* sshd(8) and sftp-server(8), because it will require sftp-server to be started as root and the chroot/setresuid part to be done there. Additional puzzles might need solving. For example, where do you get the UID of the user in question from when you are finally ready to call setresuid from sftp-server? I heard people say it's easy to actually decrease your level of security by trying to use chroot(2), but doing it in a bad way. I suspect this one to be a case where that warning might apply. Still, i neither claim it's impossible to do right nor do i think your question is completely unreasonable.
