[Chrootssh-users] Increase security for sftp server

[<pg...@ya...>]

I'm relatively new to *inx environment, so please excuse me if this is
common knowledge.

I installed chrootssh for the first time today. I followed most of the
instructions at
http://chrootssh.sourceforge.net/docs/chrootedsftp.html.
(The parts I did not follow was that I used the
openssh-3.8p1-chroot.tar.gz file, and didn't need to apply any patch.)

When everything was installed, and in working order the whole thing
seemed to work fine, until I realised that all jailed users who logged
in using a sftp client had full write access to all files inside the
jail! Whoever was placed into the chroot jail when he logged in could
delete /bin (inside the jail) and block all other users from logging
in!
If the same user logged in using ssh shell (not sftp) this was not a
problem, only if he used a sftp client (I only tried two clients:
F-Secure and FileZilla (both for windows).)

What made the problem was this part of the instruction:
[QUOTE src="http://chrootssh.sourceforge.net/docs/chrootedsftp.html"]
/path/to/chroot/usr/local/libexec: sftp-server (can be copied straight
in from /usr/local/libexec, but make sure you chmod +s if it isn't
setuid already)
[/QUOTE]

The problem is caused by sftp-server having setuid enabled. By doing a
chmod -s sftp-server the problem went away.

Hope this information can help someone.

-pg 

______________________________________________________
Få den nye Yahoo! Messenger på http://no.messenger.yahoo.com/
Nye ikoner og bakgrunner, webkamera med superkvalitet og dobbelt så morsom