PHWinfo - Afficher un message

09/11/2006, 19h44

mohamed.zubaidi@gmail.com wrote:
> However, I want the user to be able to login with ssh wihtout being
> chrooted while when he uses sftp, gets chrooted. I'm using a config
> file for this and it's working fine for both now I just need to
> seperate them. I'm looking for a way for identify the connection as an
> sftp session prior to the do_setusercontext function in session.c

Ouch, should've read your first post more literally. If I recall
correctly the chroot system call can only be made as root and the
sftp-server is run as a subsystem request by a user inside the ssh
session. That's why it's FTP *over* SSH. Before that, there is not
really something specific which tells you if a session is sftp or shell.

Perhaps you could patch/modify the sftp-server sourcecode to do
something like

uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid);

very early on in the code. Then make the compiled binary setuid root. Be
careful though, because there is always the danger of holes with setuid
root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD.

09/11/2006, 19h44	#4
Steven Mocking Messages: n/a Hébergeur:	Re: chroot SFTP ONLY mohamed.zubaidi@gmail.com wrote: > However, I want the user to be able to login with ssh wihtout being > chrooted while when he uses sftp, gets chrooted. I'm using a config > file for this and it's working fine for both now I just need to > seperate them. I'm looking for a way for identify the connection as an > sftp session prior to the do_setusercontext function in session.c Ouch, should've read your first post more literally. If I recall correctly the chroot system call can only be made as root and the sftp-server is run as a subsystem request by a user inside the ssh session. That's why it's FTP over SSH. Before that, there is not really something specific which tells you if a session is sftp or shell. Perhaps you could patch/modify the sftp-server sourcecode to do something like uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid); very early on in the code. Then make the compiled binary setuid root. Be careful though, because there is always the danger of holes with setuid root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD.