Know your code. One can have sftp access to a chroot dir only, no binaries required. This is similar but much more secure than ftpd's chroot support, with builtin ls and such.
If you want to chroot a user with a shell, thats entirely different and much more work and not simple in any regard. Penned by Denis Doroshenko on 20100108 18:31.28, we have: | On 1/8/10, Todd T. Fries <t...@fries.net> wrote: | > You can chroot internal-sftp but not external. | | well i chrooted external no prob, just put insude the chroot what ldd | /usr/libexec/sftp-server and i found out that the only thing, which is | sftp-server couldn't live without is /etc/pwd.db (besides minimal | device set described in sshd_config(5) and /dev/log). | | well, that required a little research with ktrace... | | the thing is, if i need to have any /usr/bin programs inside the | chroot, i'm gonna need /usr/libexec/ld.so and /usr/lib/*.so.* | anyway... so does internal sftp-server give any gain in such situation | besides some simplicity. | | then what also is of interest, how do they match, external and | internal? if external is being modified, is internal taken care as | well? | | thanks!! | | > Penned by Denis Doroshenko on 20100108 16:50.31, we have: | > | > | hi, | > | | > | is there any benefits of using internal-sftp over | > | /usr/libexec/sftp-server (which is being used with default | > | sshd_config)? sshd_config(5) says: | > | | > | For file transfer sessions using | > | ``sftp'', no additional configuration of the environment is nec- | > | essary if the in-process sftp server is used, though sessions | > | which use logging do require /dev/log inside the chroot directory | > | (see sftp-server(8) for details). | > | | > | so default sshd_config uses a program, but internal-sftp is better for | > | chroot. what are benefits of /usr/libexec/sftp-server except for stuff | > | like timezone, locale, resolver etc. being initialized each time an | > | sftp connection being made? | > | | > | thanks! | > | > | > -- | > Todd Fries .. t...@fries.net | > | > _____________________________________________ | > | \ 1.636.410.0632 (voice) | > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | > | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | > | "..in support of free software solutions." \ sip:4052279...@ekiga.net | > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | > | > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A | > http://todd.fries.net/pgp.txt | > | > -- Todd Fries .. t...@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
