keisial at gmail
Feb 21, 2012, 6:10 AM
Post #4 of 6
On 21/02/12 14:13, Dag-Erling SmÃ¸rgrav wrote:
> "Dmitry V. Levin" <ldv [at] altlinux> writes:
>> Most likely, this was made to ensure that the chroot directory itself is
>> not writable and cannot be made writable by the user, to avoid various
>> kinds of attacks.
> Sure, but *which* attacks?
> Currently, if I don't want sftp-only users to see eachother's home
> directories, I have to have two levels of directories: /home/$USER owned
> by root and /home/$USER/$USER owned by the user. Alternatively (note: I
> haven't tested this) I can chmod o-rw /home so users can't ls /home but
> can still access /home/$USER, but they'll be able to tell whether other
> directories exist because they will get EPERM instead of ENOENT. Not a
> big deal, perhaps, but wouldn't it be simpler if you could just chroot
> users to their ~?
Just one example.
If the user is the owner of /, he could move away /etc and replace it with
its own one, providing a /etc/passwd under its control.
You may think a user-owned chroot is not a problem for your setup, and it
may not be, or there may be a way you don't yet known (or opened by a config
change). Having a root-owned / is *much* safer.
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot