I have an question, why you guys do not let chroot be owned by the user ? It would be a good way to chroot the users Cause like I want to chroot user in /chroot/%u But they can not write in this directory... i need to set another dir to them to be able to write, even when /chroot/ is onewd by root i want to be able to do this user1 be able to write in /chroot/user1 but not able to go down into /chroot/ user2 same thing here. In that way, user1 will not be able even know if there is other files there... But with your code i have to do this set chroot dir to /chroot/ and set home in /etc/passwd to /user1 But when uer 1 logs in he see /user1 and if he gos down with cd .. he is hable to see user2 and move around Is there anyway to do what i want ? And can you guys explain to me why the chroot path HAS to be owned by root ? Sorry , i know i am beeing annoying And Thanks anyway! -- []'sf.rique
On Fri, 14 Aug 2009 14:31:14 -0300 Henrique Fernandes <sf.rique at gmail.com> wrote:> I have an question, why you guys do not let chroot be owned by the > user ? > > > It would be a good way to chroot the users > > Cause like > > I want to chroot user in /chroot/%u > > But they can not write in this directory... i need to set another dir > to them to be able to write, even when /chroot/ is onewd by root > > i want to be able to do this > > user1 be able to write in /chroot/user1 but not able to go down > into /chroot/ > user2 same thing here. > > In that way, user1 will not be able even know if there is other files > there... > > But with your code i have to do this > > set chroot dir to /chroot/ and set home in /etc/passwd to /user1 > > But when uer 1 logs in he see /user1 and if he gos down with > cd .. he is hable to see user2 and move around > > Is there anyway to do what i want ? > > And can you guys explain to me why the chroot path HAS to be owned by > root ? > > Sorry , i know i am beeing annoying > > And Thanks anyway! > > -- > []'sf.rique > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devWhy? Because of security reasons. You might want to check the archives for this and the "general" mailinglist. This topic as been discussed quite a lot. If i remember correctly, also patches have been posted to get the behaviour you'd like. - Robert
On Fri, 14 Aug 2009, Henrique Fernandes wrote:> I have an question, why you guys do not let chroot be owned by the user ?This has been discussed several times on this mailing list, please check the archives. -d
I think this diff is "not even wrong". -d On Sun, 16 Aug 2009, Jan Chadima wrote:> Hi > here is the patch. > The main goals is to not require chroot tree and do not touch any file other than required for data transfers so user can not fake any system file. Only internal-sftp is allowed others are aborted before execution. > > > > ----- Henrique Fernandes <sf.rique at gmail.com> wrote: > > thanks to all > > > > i have looked but i did not find anypatches.. i will look again... > > > > and i did not find why is dangers.. they just say.. it is dangers... > > > > But Thanks anyway! > > > > if anyone knows the patche please let me know! > > > > -- > JFCh
----- "Damien Miller" <djm at mindrot.org> wrote:> I think this diff is "not even wrong". > > -d > > On Sun, 16 Aug 2009, Jan Chadima wrote: > > > Hi > > here is the patch. > > The main goals is to not require chroot tree and do not touch any > file other than required for data transfers so user can not fake any > system file. Only internal-sftp is allowed others are aborted before > execution.This patch is part of RH patchset, so maybe is need to repair minor changes caused by the previous patches in the chain. See openssh-5.2p1-17.fc12 on fedora/devel -- JFCh