On 2019/07/15 12:24, Ramón García wrote: > Hello, I am trying to setup a file server using the SFTP protocol with OpenSSH. > > I am in trouble because sshd refuses to chroot to a directory that is > writable by users other than the owner. I guess that this is to > prevent someone else from creating a .ssh/authorized_keys file and > impersonate the user. But we have configured an alternative > AuthorizedKeysFile. I also understand that a chroot user needs a > layout for login (/bin/bash, ...) or for executing the external > sftp-server, and that nobody should be allowed to change it. But for > an SFTP server that only serves files, using the internal-sftp server, > that should not be a problema. > > Note that this is extremely restrictive in practice. Even if one is > very careful and only allows specific users to write (with acls) > openssh refuses to chroot to that directory. And when one has to work > with a speficied directory layout, required for compatibility with > existing applications, it makes it very hard to implement a sftp file > server. > > I would like to contribute a patch with an option > StrictModesChrootDirectory . That option could be document with the > reasons when it should not be used. A similar patch was added to RHEL in the past, the result was CVE-2009-2904 / https://bugzilla.redhat.com/show_bug.cgi?id=522141 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
