Hello, I'm aware of the fact that ChrootDirectory requires that the target directory is root-owned, and I think I've mostly understood why that is necessary, at least within the context of someone who has full shell access. However, I am wondering if that possibility for privilege escalation still exists with a configuration like this: Match Group sftp ForceCommand internal-sftp ChrootDirectory %h Assuming some patch were applied to openssh to allow ChrootDirectory to work here on a non-root-owned home directory, wouldn't this mean that any user in the sftp group would only be able to manipulate files within their home directory, and nothing else? Is there some potential for privilege escalation or execution of commands that I've missed? And, just to confirm, am I correct in understanding that scp will not work with this configuration, since scp wants a shell? Thanks. -- Mike Kelly
