On Mon, Jul 15, 2019 at 6:44 AM David Newall <openssh@xxxxxxxxxxxxxxx> wrote: > > On 15/7/19 7:54 pm, Ramón García wrote: > > I am trying to setup a file server using the SFTP protocol with OpenSSH. > > > > I am in trouble because sshd refuses to chroot to a directory that is > > writable by users other than the owner. > > I doubt that you need the root to be writeable. Put your files inside a > globally writeable sub-directory. This allows you to have a dev, bin, > lib, and whatever, within your chroot, without leaving yourself open > someone tearing you a new one. Being ale to write to root means being able to replace /etc/ and /tmp/, and /proc, with non-root owned directories. It's very dangerous. Most of us accept being able to write to "/ome/username", where "/home" is owned by root and prevents the deletion or relocation of "/home/username", as sufficient. Or we accept a shared sftp workspace, such as "/var/projectname" > If somebody says, "but I need to write to root", your go-to answer is > "no, you don't; and get off my lawn." > > Also, look at rssh. rssh is not being maintained, sadly. If someone wants hooks for that, I publish some updated chroot cage building tools for it, which I built up for an employer who used a public scp and sftp upload site rather than the FTPS site I recommended for them, which have been much easier to set up. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
