Openssh SFTP server pseudo "chroot jail" patch

The idea behind this patch was to provide functionality much like most FTP servers provide by creating a jail directory for users which they are then restricted to.

This patch is currently non-configurable (though easily changable, in my mind...)

I use this patch in conjuction with rssh, a small shell that allows only SFTP or SCP.

The current functionality is to "jail" users into their home directory if they are not in the "wheel" group. (For users that are in the "wheel" group, allow them full filesystem access as before.)

There are other patches available on the internet which provide a related functionality by using the UNIX chroot() system call, but require a complex setup for each jail.

I thought that that was dumb, because:
  1. I didn't want to setup a complete root directory structure with various system libraries etc. just for the jail.
  2. I wanted separate jails for each user (or group of users) based on their home directories. (In order to upload web-related files.)

I implemented the jail by simply checking every path that is used inside the server code, and returning a "Permission Denied" error if the path is outside the "jail". This seemed a straightforward and simple solution. The one feature that it does not provide is the illusion of a "root" filesystem. Users can still see the full directory hierarchy in which their home directory resides.


Any questions / comments can and/or should be directed to me (via email): scotth at battleforce dot com.


---Scott


See the patch
Back to projects page