Thanks for this guide. I just used it to get a chrooted rssh server up on Gutsy (that is, Ubuntu 7.10).
I do have a couple questions, though.
Looks to me like the guide says only to suid the non-chrooted rssh_chroot_helper, so that should alleviate this security concern, right? Is there any security concern regarding doing suid on the non-chrooted rssh_chroot_helper, as the guide states?
For instance, what if I allow some chrooted and some non-chrooted users on my system, and maybe some of those non-chrooted users will have full ssh access. Will the non-chrooted users be able to exploit the suid'd rssh_chroot_helper to escalate privileges?
I'm not real fond of going to source, b/c then I'll miss out on any updates that Ubuntu makes for me. So, if the above situation that I describe is not a security concern, I think the best solution (for me) is to follow this guide.
...Interestingly, when I followed the link that mtegmont provided above, I found the following:
So I followed that link, and found the following:Originally Posted by http://zephid.dk/2007/11/20/getting-the-power-of-sftp-chroot-in-debian/
So, it looks to me like an even better solution than this howto is on the horizon, once we get OpenSSH 4.9 in Ubuntu. (Please someone correct me if I'm mistaken.)Originally Posted by http://www.minstrel.org.uk/papers/sftp/
However, it appears to me that even Hardy (Ubuntu 8.04) is still using OpenSSH 4.7.
I guess that's not surprising, though, since OpenSSH 4.9 was only released on March 30, 2008, which was not long before Hardy. I suppose we'll see OpenSSH 5.0 (or later) in Intrepid (Ubuntu 8.10).
Bookmarks