ChrootDirectory, catch 22

has anyone noticed that the ChrootDirectory manual in sshd_config(5) says you can use tokens like %u and %h to automatically define a users home directory as chroot

but at the same time it says that the directory defined by ChrootDirectory and all its parents must be owned by root and not writable by world or group

so basically, you can create a chroot environment for each user automatically on login but you must have some sort of subdir that the user is allowed to own and then lose all standard functionality of a user account

i find this moronic but i assume the openbsd team did it for some security reason, prolly if your user dir is owned by someone else you can cause trouble for that user or others, i dunno, i just discovered this shit and i hate it so i'm not in the best mood towards the openbsd team right now

maybe setting the append only flag on each user dir would prevent this but then it wouldn't be portable to linsux systems that lack chflags

I use sshd for windows.

http://sshwindows.sourceforge.net/

Am I still invited to your conversation?

you can join, only if sshwindows is based on a version of openssh from 4.8 or later

Read all of the goddamn man page:
             The ChrootDirectory must contain the necessary files and directo-
             ries to support the users' session.  For an interactive session
             this requires at least a shell, typically sh(1), and basic /dev
             nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
             arandom(4) and tty(4) devices.  For file transfer sessions using
             ``sftp'', no additional configuration of the environment is nec-
             essary if the in-process sftp server is used (see Subsystem for
             details).

the directory must exist and will not be created, and must at least contain all files necessary for the user to have a shell. Having secure permissions on that directory is not in the least wrong.

>>4
why? could you please explain to the rest of the class why root owner is required on the dir that is going to be chrooted?

i'm only wondering because, well, i don't know. also because i've used the chroot call before, of course it requires root but i've been able to chroot a process into a dir owned by a user before without problems

i'm assuming this is some sort of security measure that the openbsd team thought of, i mean i can't even begin to compare my security thinking to theirs so i have no idea why they require this in their chroot environment

jackiervng@gmail.com

I ordered these shoes when it collapsed. I ordered these shoes by mistake was originally booked is not available. The price was the same http://www.comeboot.com/  Black UGG Boots For Sale. http://www.comeboot.com/  Black UGG Boots For Sale, so I took a chance. I'm glad I did. When I ordered in time for  http://www.comeboot.com/ugg-classic-short-boots.html  Classic Short UGG. http://www.comeboot.com/ugg-classic-short-boots.html  Classic Short UGG http://www.comeboot.com/  Free Shipping Boots. http://www.comeboot.com/  Free Shipping Boots