On Fri, 2018-01-05 at 16:00 +1030, David Newall wrote: > On 05/01/18 02:44, Thomas Güttler wrote: > > I set up a chroot sftp server [...] > > Is there a way to get both? > > > > - chroot > > > > - writable root > > The source code (sftpd.c) seems to require that the root directory > be > owned by root and not group or world writable, so I think, no, not > unless you make local source changes. Yes, you are right. The chroot directory can not be writable. We were there once and they called it CVE-2009-2904. In short, if the confined user has write access to the chroot directory, there are ways how to get out, gain privileges and or do other nasty things. You should not do that. If you aim for the end-user comfort that he does not have to change directory before uploading/downloading files, there is -d switch to the sftp-server, which changes the start directory after startup automatically. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
