[WBEL-users] SSH as an FTP server
Jean Lee
jean.lee@free.fr
Fri, 12 Nov 2004 15:05:03 +0100
Hello Brett,
Jail and chrootssh have not the same function. Jail is a general binary
to chroot a user but chrootssh is a patch to apply to OpenSSH.
I have not yet the answer about which is better.
I succeed in creating a chrooted sftp using Jail but not with chrootssh
(I suppose it is because there were the library /etc/lib.so.cache to
copy to chrootdir/etc (to make sftp working) and I only saw it when I
tried Jail. Then I have not the time to test chrootssh anymore)
I have one question for you :
How did you set up the permissions in your chrooted environnement ?
I suppose that the user should be able to write in his home directory
but not in the others so I set root to be the owner to all the
directories with 755 permissions except the home directory and
subfolders which are owned by the user with 700 permissions.
However, I think that it is not good that an executable could be wrotten
in the home directory because a malicious intruder could go out of the
chrooted environnement by writing and executing an suid binary.
What do you think about it ?
Thank you for your answer,
Jean
Brett Moss wrote:
>--- Jean Lee <jean.lee@free.fr> wrote:
>
>
>
>>Hello Brett,
>>
>>Thanks a lot for your answer. It's just what I want.
>>Just a question : Does jail make sshd more
>>vulnerable ?
>>Is it a better solution than to patch Openssh with
>>chrootssh (
>>http://chrootssh.sourceforge.net/ )?
>>
>>Regards,
>>
>>Jean
>>
>>
>>
>hello,
>i'm not sure i can answer that question. i suggest
>you post it to the two projects mailing lists. i sure
>would be interested in the results of that question.
>i can say though i have used jail (
>http://www.jmcresearch.com/projects/jail/ ) for quite
>some time with no problems at all.
>
>good luck,
>brett
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Check out the new Yahoo! Front Page.
>www.yahoo.com
>
>
>
>
>
>