mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-23 18:32:26 +00:00
upstream commit
Provide a warning about chroot misuses (which sadly, seem to have become quite popular because shiny). sshd cannot detect/manage/do anything about these cases, best we can do is warn in the right spot in the man page. ok markus
This commit is contained in:
parent
087266ec33
commit
dcff5810a1
@ -33,8 +33,8 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.189 2015/01/13 07:39:19 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.190 2015/01/22 20:24:41 deraadt Exp $
|
||||||
.Dd $Mdocdate: January 13 2015 $
|
.Dd $Mdocdate: January 22 2015 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -330,8 +330,10 @@ The default is
|
|||||||
Specifies the pathname of a directory to
|
Specifies the pathname of a directory to
|
||||||
.Xr chroot 2
|
.Xr chroot 2
|
||||||
to after authentication.
|
to after authentication.
|
||||||
All components of the pathname must be root-owned directories that are
|
At session startup
|
||||||
not writable by any other user or group.
|
.Xr sshd 8
|
||||||
|
checks that all components of the pathname are root-owned directories
|
||||||
|
which are not writable by any other user or group.
|
||||||
After the chroot,
|
After the chroot,
|
||||||
.Xr sshd 8
|
.Xr sshd 8
|
||||||
changes the working directory to the user's home directory.
|
changes the working directory to the user's home directory.
|
||||||
@ -368,6 +370,13 @@ inside the chroot directory on some operating systems (see
|
|||||||
.Xr sftp-server 8
|
.Xr sftp-server 8
|
||||||
for details).
|
for details).
|
||||||
.Pp
|
.Pp
|
||||||
|
For safety, it is very important that the directory heirarchy be
|
||||||
|
prevented from modification by other processes on the system (especially
|
||||||
|
those outside the jail).
|
||||||
|
Misconfiguration can lead to unsafe environments which
|
||||||
|
.Xr sshd 8
|
||||||
|
cannot detect.
|
||||||
|
.Pp
|
||||||
The default is not to
|
The default is not to
|
||||||
.Xr chroot 2 .
|
.Xr chroot 2 .
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
|
Loading…
Reference in New Issue
Block a user