ChrootDirectory, catch 22

has anyone noticed that the ChrootDirectory manual in sshd_config(5) says you can use tokens like %u and %h to automatically define a users home directory as chroot

but at the same time it says that the directory defined by ChrootDirectory and all its parents must be owned by root and not writable by world or group

so basically, you can create a chroot environment for each user automatically on login but you must have some sort of subdir that the user is allowed to own and then lose all standard functionality of a user account

i find this moronic but i assume the openbsd team did it for some security reason, prolly if your user dir is owned by someone else you can cause trouble for that user or others, i dunno, i just discovered this shit and i hate it so i'm not in the best mood towards the openbsd team right now

maybe setting the append only flag on each user dir would prevent this but then it wouldn't be portable to linsux systems that lack chflags

Read all of the goddamn man page:
             The ChrootDirectory must contain the necessary files and directo-
             ries to support the users' session.  For an interactive session
             this requires at least a shell, typically sh(1), and basic /dev
             nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
             arandom(4) and tty(4) devices.  For file transfer sessions using
             ``sftp'', no additional configuration of the environment is nec-
             essary if the in-process sftp server is used (see Subsystem for
             details).

the directory must exist and will not be created, and must at least contain all files necessary for the user to have a shell. Having secure permissions on that directory is not in the least wrong.