Questions about ChrootDirectory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I'm aware of the fact that ChrootDirectory requires that the target
directory is root-owned, and I think I've mostly understood why that is
necessary, at least within the context of someone who has full shell
access. However, I am wondering if that possibility for privilege
escalation still exists with a configuration like this:

Match Group sftp
  ForceCommand internal-sftp
  ChrootDirectory %h

Assuming some patch were applied to openssh to allow ChrootDirectory to
work here on a non-root-owned home directory, wouldn't this mean that
any user in the sftp group would only be able to manipulate files
within their home directory, and nothing else? Is there some potential
for privilege escalation or execution of commands that I've missed?

And, just to confirm, am I correct in understanding that scp will not
work with this configuration, since scp wants a shell?

Thanks.

-- 
Mike Kelly


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux