similar to: Proposal: Different handling of ChrootDirectory

https://bugzilla.mindrot.org/show_bug.cgi?id=2036 Priority: P5 Bug ID: 2036 Assignee: unassigned-bugs at mindrot.org Summary: Add %g user group name parameter for ChrootDirectory Severity: enhancement Classification: Unclassified OS: Linux Reporter: sue at pennine.com Hardware: ix86 Status:

https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Summary: ChrootDirectory doesn't work with SE Linux Product: Portable OpenSSH Version: 5.3p1 Platform: Other URL: http://bugs.debian.org/556644 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1574 Summary: trailing white space on Forced Command within ChrootDirectory causes failure Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

Hi all, I am using Match directive and internal-sftp to chroot sftp users into their directory. Connection and login works. I can change directories and put/get files. Also logging of the internal sftp-process works (created a /dev/log socket inside the chroot). As soon as I use the 'ls' command, nothing happens and the the process gets stuck. Listing files does work as soon as I remove

https://bugzilla.mindrot.org/show_bug.cgi?id=1564 Summary: non-accessible user's home directory not reported when ChrootDirectory=none Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P3 Component: sshd

Hi, (please CC me as I'm not subscribed to the list) If compiled with SELinux support, OpenSSH 4.8 current cvs fails for accounts where the new ChrootDirectory option is active : debug1: PAM: establishing credentials debug3: PAM: opening session debug2: User child is on pid 1695 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug3: safely_chroot: checking

Hi, many people are having problems using SFTP with ChrootDirectory when the jail directory (or the path above) is not owned by root. The question is if chroot'ing to usual home directories can be allowed, even though they are owned by regular users. I know that this topic has been discussed on the list several times now, so I searched the list archives for posts that invalidate the

Hello, I've tried many places, finally ending up here to ask my question: why is it so vital that the directory used with the ChrootDirectory directive is root-owned? Like many people I'm trying to use this in a webhosting environment where several users get sftp-only access to some directory, usually something like /home/user/web/part-of-website. I can be sure that there are no setuid

Hi I'm using Centos 5 with Openssh-5.0p1 installed (and OpenSSL 0.98b and Zlib 1.2.3-3). I've managed to get a chroot'd SFTP session using ChrootDirectory and the new built-in SFTP subsystem. However, when I use SSH to connect to the same account the session hangs rather than closing the connection. This happens whether or not I use /sbin/nologin /bin/false or even /bin/sh

Hello, I'm aware of the fact that ChrootDirectory requires that the target directory is root-owned, and I think I've mostly understood why that is necessary, at least within the context of someone who has full shell access. However, I am wondering if that possibility for privilege escalation still exists with a configuration like this: Match Group sftp ForceCommand internal-sftp

Hi, According to the sshd_config manual page the option ChrootDirectory can be used to force a chroot:ed environment for the SSHD server. But as I understand the manual page this is a global setting and it is not possible to specify this per SSH subsystem. We are building a system where we need users to be able to log on from remote machines via SSH, but with the tweaks that we (for security

Under "ChrootDirectory" there is a line that says, "This path, and all its components, must be root-owned directories that are not writable by any other user or group." When I first read this "all its components" seemed to mean that all directories and files within this directory must be root owned and root only writable. This seemed odd as I would not be able to

Hi, This is either a query or a feature request. I have a system where sftp users are chrooted using scponly, which while requiring much more setup than OpenSSH's internal-sftp method, has the useful feature of allowing an initial chroot to a subdirectory, typically the one used for file exchange. I've searched for a way to do the same thing with OpenSSH. So far haven't found it. If

https://bugzilla.mindrot.org/show_bug.cgi?id=2289 Bug ID: 2289 Summary: arandom(4) as documented in sshd_config(5)?s ChrootDirectory option does not exist on all platforms Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: All Status: NEW Severity: enhancement

https://bugzilla.mindrot.org/show_bug.cgi?id=1616 Summary: root owned empty subdirs are deletable by chroot users Product: Portable OpenSSH Version: 5.2p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sftp-server AssignedTo: unassigned-bugs at mindrot.org

Hi, Is anyone chrooting users that connect through SSH? I looked for it on Google and I basically saw several methods: - OpenSSH 5 supports ChrootDirectory (FC9 apparently has RPMs that probably could be rebuilt under CentOS 5) - There seem to be several patches for OpenSSH 4.x to do the chroot, the most popular seems to be http://chrootssh.sf.net/ - There appears to be a pam_chroot - There are

Hello, First, a big thank you to the OpenSSH devs. _ /Problem Summary:/ _ Chroot and SELinux don't get along. This affects both the new (official) ChrootDirectory feature, as well as the older (3rd party) patch at http://chrootssh.sourceforge.net/. _ /History and repro:/ _ On March 21, 2008, Alexandre Rossi posted to this list with the subject: "*ChrootDirectory

Hello, I'm trying to set up an sftp (sshfs) service accessible to users with a normal account on a server, but which would be restricted to a subset of the directory hierarchy normally accessible to the users in question, in practice a single directory. The idea would be to allow file access to this directory with a passwordless public key, but keep rest of the users file accessible only with

I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup chroot jails for certain SFTP-only users. I use the following lines in my sshd_config file: Match Group sftponly ChrootDirectory /home/chroot-%u ForceCommand internal-sftp It works great. The problem is that some of my users need umask 002 for their uploads. I tried a few ways to achieve this: * set umask in sshrc,

At the risk of beating a dead horse, I'd like to see the chroot security checks relaxed a bit. On newer Linux kernels, there's a prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) that prevents privilege elevation (via setuid binaries, etc) for the caller and all of its descendants. That means that chroot(untrusted directory), prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), setreuid(uid, uid), execve(a