search for: bubblewrap

...id, but the forcecommand would > need to live inside the ChrootDirectory along with everything else > sftp-server and rsync needs. > > If you're on Linux, then maybe you could cook something up using > namespaces and bind mounts to simplify this. A while ago I used the following bubblewrap-based login shell to implement said Linux namespace and bind mount solution to give restricted shell access to a mostly trusted user. Using bwrap saves the perilous trouble of writing a safe setuid solution yourself. Could be extended by looking at $SSH_ORIGINAL_COMMAND to get the sftp/rsync b...

On Sat, 11 Nov 2023, Bob Proulx wrote: > I am supporting a site that allows members to upload release files. I > have inherited this site which was previously existing. The goal is > to allow members to file transfer to and from their project area for > release distribution but not to allow general shell access and not to > allow access to other parts of the system. > >