| delorie.com/archives/browse.cgi | search |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 delorie.com 52CEDXRZ3828930 |
| Authentication-Results: | delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com |
| Authentication-Results: | delorie.com; spf=pass smtp.mailfrom=cygwin.com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 52CEDXRZ3828930 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=xupF8LoI | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org BB0F0385842A |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1741788811; | |
| bh=wPnFLc/cxdWmVO8bnMRFpsUmRi0Wmk1LSMcvsKBlM9s=; | |
| h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=xupF8LoI3h9wt3MDXe5czdXCAaUrNB8vzRI3razrax03i5SzXAcu65bPb3bY9dimT | |
| AyKdjYN2EPWRj09VwL1uv6SjLE7UIE64NOKndxxe+zVUtVPw/+Cj1cJJ50S6MAx6xf | |
| RPZrVcVzgcf3YlRKiHo8qXTD4TrrQ7sR7m+t1tqY= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org D752F3858C31 |
| Date: | Wed, 12 Mar 2025 15:13:07 +0100 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Chrootdirectory / Chroot - not working in OpenSSH sftp |
| directives in \etc\sshd_config or using a custom shell script - MS OpenSSH | |
| build has a workaround | |
| Message-ID: | <Z9GWc_stGr69GXPu@calimero.vinschen.de> |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <SL2P216MB121411360C11CDE2B8D7CCFE9AD02 AT SL2P216MB1214 DOT KORP216 DOT PROD DOT OUTLOOK DOT COM> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <SL2P216MB121411360C11CDE2B8D7CCFE9AD02@SL2P216MB1214.KORP216.PROD.OUTLOOK.COM> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 52CEDXRZ3828930 |
On Mar 12 06:40, Peter Board via Cygwin wrote: > Hi Cygwin Developers, > > In the source code for the session.c Cygwin is using the standard > OpenSSH source code, which checks for both the user ID of 0 and a > permissions for who can write to the new folder. > Chroot mounting test that I can't get Cygwin to pass > if (st.st_uid != 0 || (st.st_mode & 022) != 0) > > I have tried mapping the SYSTEM user and Group via the \etc\passwd and > \etc\group files, but I am unable to get a successful setting that > will allow Chroot.exe or \etc\sshd_config directive for rehoming an > SFTP connection to work. You know that you have to copy executables and DLLs to be inside the chroot "jail" (but see below)? > Match User username >   ChrootDirectory F:\sftproot Don't use Windows paths. Use Cygwin POSIX paths. No drive letter and forward slashes. >   ForceCommand internal-sftp > In the MS OpenSSH source code, they have switched Windows to just > doing a basic directory exists check. Would it be possible to > implement the same check in the Cygwin source code so that sftp root > rehoming works again? I believe it was broken after OpenSSH 8.6 from > my research, I have an older Cygwin setup based on OpenSSH 8.3 and the > Chroot directive for SFTP root rehoming works fine. chroot(2) is not really supported. It was never more than a shallow experimental emulation keeping track of the chroot dir, and it never worked as desired. We gave up on the chroot emulation and only keep it in for backward compatibility. Don't use it. It only gives a false sense of security. A chroot jail is not supported by the underlying Windows, and the chroot in Windows SSH is just a bad fake either. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |