openssh unix dev - Jul 2007 - chroot'd SFTP

Thanks for these 3rd party hacks! I don't trust them.
There must be such feature in openssh out of box.

So the most secure/easyer method of giving sftp access to porn collection is:
Damiens sftp-server chroot patch, which I hope to see in openssh one day :)
http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2

# useradd -d /data/p0rn -m share

/etc/ssh/sshd_config:
Match user share
      X11Forwarding no
      AllowTCPForwarding no
      ForceCommand /usr/libexec/sftp-server -C %d

pkill sshd; /usr/sbin/sshd
and done :)


On 7/28/07, Peter SJF Bance <Minstrel at minstrel.org.uk>
wrote:
> Hi,
>
> I noticed your post at:
>
> http://www.gossamer-threads.com/lists/openssh/dev/40355
>
> I don't subscribe to the list, so can't reply there, but this may
help:
>
> http://www.minstrel.org.uk/papers/sftp/
>
> This discusses how to set up chroot'd SFTP only (no shell).
>
> --
> Peter SJF Bance
> http://www.minstrel.org.uk/
>

On Sun, Jul 29, 2007 at 12:46:13AM +0300, Richard Storm
wrote:
> There must be such feature in openssh out of box.
I'm not so sure..

> # useradd -d /data/p0rn -m share
> 
> /etc/ssh/sshd_config:
> Match user share
>       X11Forwarding no
>       AllowTCPForwarding no
>       ForceCommand /usr/libexec/sftp-server -C %d
> 
> pkill sshd; /usr/sbin/sshd
> and done :)
Couldn't one just use a wrapper script doing the equivalent of the
patch and then exec:ing sftp-server ?


//Peter

On Sun, 29 Jul 2007, Richard Storm wrote:
> Thanks for these 3rd party hacks! I don't trust them.
> There must be such feature in openssh out of box.
> 
> So the most secure/easyer method of giving sftp access to porn collection
is:
> Damiens sftp-server chroot patch, which I hope to see in openssh one day :)
> http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2
The big problem with that patch is that it effectively allows non-root
users to chroot to a directory of their choice.

The only way I have come up with to get around this problems is to arrange
sshd to execute subsystems with an additional supplementary group (say
"_sshd_subsys") and to make the setuid sftp-server mode 0710, but I
haven't
properly thought through whether this will actually solve all the problems
yet.

In the meantime please treat my patch is unsupported, potentially dangerous
code.

-d

> >> http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2
> >
> > The big problem with that patch is that it effectively allows non-root
> > users to chroot to a directory of their choice.
How!? Doesn't sftp-server respect received "-C %d" args which are
hardcoded in ForceCommand, to chroot user in HIS home directory?
>
> --
> Peter SJF Bance
> http://www.minstrel.org.uk/
>