- (djm) OpenBSD CVS Sync

- djm@cvs.openbsd.org 2008/04/04 05:14:38 [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk
author: Damien Miller <djm@mindrot.org> 2008-05-19 14:27:42 +1000
committer: Damien Miller <djm@mindrot.org> 2008-05-19 14:27:42 +1000
commit: 797e3d117f8b4cfed5f066ef88f28826eb8f8b41 (patch)
tree: 31e68a41888e6f799b5bec33fb69b1711878942b /sshd_config.5
parent: c5750226af60d321f11eea8c316c958048ee000d (diff)
1 files changed, 36 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 245ed946f..be3869713 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
-.Dd $Mdocdate: March 25 2008 $
+.Dd $Mdocdate: April 4 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -210,6 +210,29 @@ in-process sftp server is used (see
 .Cm Subsystem
 for details).
 .Pp
+Please note that there are many ways to misconfigure a chroot environment
+in ways that compromise security.
+These include:
+.Pp
+.Bl -dash -offset indent -compact
+.It
+Making unsafe setuid binaries available;
+.It
+Having missing or incorrect configuration files in the chroot's
+.Pa /etc
+directory;
+.It
+Hard-linking files between the chroot and outside;
+.It
+Leaving unnecessary
+.Pa /dev
+nodes accessible inside the chroot (especially those for physical drives);
+.It
+Executing scripts or binaries inside the chroot from outside, either
+directly or through facilities such as
+.Xr cron 8 .
+.El
+.Pp
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers
@@ -340,6 +363,11 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -563,6 +591,7 @@ keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSApiAuthentication ,
@@ -801,6 +830,11 @@ server.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
author	Damien Miller <djm@mindrot.org>	2008-05-19 14:27:42 +1000
committer	Damien Miller <djm@mindrot.org>	2008-05-19 14:27:42 +1000
commit	797e3d117f8b4cfed5f066ef88f28826eb8f8b41 (patch)
tree	31e68a41888e6f799b5bec33fb69b1711878942b /sshd_config.5
parent	c5750226af60d321f11eea8c316c958048ee000d (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 245ed946f..be3869713 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
38	.Dd $Mdocdate: March 25 2008 $	38	.Dd $Mdocdate: April 4 2008 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -210,6 +210,29 @@ in-process sftp server is used (see
210	.Cm Subsystem	210	.Cm Subsystem
211	for details).	211	for details).
212	.Pp	212	.Pp
		213	Please note that there are many ways to misconfigure a chroot environment
		214	in ways that compromise security.
		215	These include:
		216	.Pp
		217	.Bl -dash -offset indent -compact
		218	.It
		219	Making unsafe setuid binaries available;
		220	.It
		221	Having missing or incorrect configuration files in the chroot's
		222	.Pa /etc
		223	directory;
		224	.It
		225	Hard-linking files between the chroot and outside;
		226	.It
		227	Leaving unnecessary
		228	.Pa /dev
		229	nodes accessible inside the chroot (especially those for physical drives);
		230	.It
		231	Executing scripts or binaries inside the chroot from outside, either
		232	directly or through facilities such as
		233	.Xr cron 8 .
		234	.El
		235	.Pp
213	The default is not to	236	The default is not to
214	.Xr chroot 2 .	237	.Xr chroot 2 .
215	.It Cm Ciphers	238	.It Cm Ciphers
@@ -340,6 +363,11 @@ Specifying a command of
340	will force the use of an in-process sftp server that requires no support	363	will force the use of an in-process sftp server that requires no support
341	files when used with	364	files when used with
342	.Cm ChrootDirectory .	365	.Cm ChrootDirectory .
		366	Note that
		367	.Dq internal-sftp
		368	is only supported when
		369	.Cm UsePrivilegeSeparation
		370	is enabled.
343	.It Cm GatewayPorts	371	.It Cm GatewayPorts
344	Specifies whether remote hosts are allowed to connect to ports	372	Specifies whether remote hosts are allowed to connect to ports
345	forwarded for the client.	373	forwarded for the client.
@@ -563,6 +591,7 @@ keyword.
563	Available keywords are	591	Available keywords are
564	.Cm AllowTcpForwarding ,	592	.Cm AllowTcpForwarding ,
565	.Cm Banner ,	593	.Cm Banner ,
		594	.Cm ChrootDirectory ,
566	.Cm ForceCommand ,	595	.Cm ForceCommand ,
567	.Cm GatewayPorts ,	596	.Cm GatewayPorts ,
568	.Cm GSSApiAuthentication ,	597	.Cm GSSApiAuthentication ,
@@ -801,6 +830,11 @@ server.
801	This may simplify configurations using	830	This may simplify configurations using
802	.Cm ChrootDirectory	831	.Cm ChrootDirectory
803	to force a different filesystem root on clients.	832	to force a different filesystem root on clients.
		833	Note that
		834	.Dq internal-sftp
		835	is only supported when
		836	.Cm UsePrivilegeSeparation
		837	is enabled.
804	.Pp	838	.Pp
805	By default no subsystems are defined.	839	By default no subsystems are defined.
806	Note that this option applies to protocol version 2 only.	840	Note that this option applies to protocol version 2 only.