- (djm) OpenBSD CVS Sync

- djm@cvs.openbsd.org 2008/04/04 05:14:38 [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk
2008-05-19 14:27:42 +10:00 · 2008-05-19 14:27:42 +10:00 · 797e3d117f
parent c5750226af
commit 797e3d117f
2 changed files with 44 additions and 3 deletions
--- a/9
+++ b/9
@ -1,3 +1,10 @@
+20080518
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2008/04/04 05:14:38
+     [sshd_config.5]
+     ChrootDirectory is supported in Match blocks (in fact, it is most useful
+     there). Spotted by Minstrel AT minstrel.org.uk
+
 20080403
 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
   time warnings on LynxOS. Patch from ops AT iki.fi
@ -3857,4 +3864,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4905 2008/05/16 00:01:54 djm Exp $
+$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $
--- a/sshd_config.5
+++ b/sshd_config.5
@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $
-.Dd $Mdocdate: March 25 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
+.Dd $Mdocdate: April 4 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@ -210,6 +210,29 @@ in-process sftp server is used (see
 .Cm Subsystem
 for details).
 .Pp
+Please note that there are many ways to misconfigure a chroot environment
+in ways that compromise security.
+These include:
+.Pp
+.Bl -dash -offset indent -compact
+.It
+Making unsafe setuid binaries available;
+.It
+Having missing or incorrect configuration files in the chroot's
+.Pa /etc
+directory;
+.It
+Hard-linking files between the chroot and outside;
+.It
+Leaving unnecessary
+.Pa /dev
+nodes accessible inside the chroot (especially those for physical drives);
+.It
+Executing scripts or binaries inside the chroot from outside, either
+directly or through facilities such as
+.Xr cron 8 .
+.El
+.Pp
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers
@ -340,6 +363,11 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@ -563,6 +591,7 @@ keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSApiAuthentication ,
@ -801,6 +830,11 @@ server.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.