DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 52C6fIGZ3681648
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7D3BD3858D21
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Chrootdirectory / Chroot - not working in OpenSSH sftp directives in
 \etc\sshd_config or using a custom shell script - MS OpenSSH build
 has a workaround
Thread-Topic: Chrootdirectory / Chroot - not working in OpenSSH sftp
 directives in \etc\sshd_config or using a custom shell script - MS OpenSSH
 build has a workaround
Thread-Index: AQHbkxjOD/cJ23OURE69zVe4STMoIA==
Date: Wed, 12 Mar 2025 06:40:46 +0000
Message-ID: <SL2P216MB121411360C11CDE2B8D7CCFE9AD02@SL2P216MB1214.KORP216.PROD.OUTLOOK.COM>
Accept-Language: en-AU, en-US
Content-Language: en-AU
msip_labels: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SL2P216MB1214:EE_|PS2P216MB1313:EE_
x-ms-office365-filtering-correlation-id: b71193b1-0b53-4be3-a857-08dd6130d1bd
x-microsoft-antispam: BCL:0;
 ARA:14566002|8062599003|8060799006|461199028|19110799003|15030799003|7092599003|15080799006|440099028|3412199025|102099032;
x-microsoft-antispam-message-info: =?utf-8?B?L2daSGRHNGl3UGp6OFliM3ZSNHBKaHY3ZW9jTWRIcWtyNlNFTFFlc1FEZi9V?=
 =?utf-8?B?NUpQTXVNbEkvVUlDamt5Zm4wNVBucUNnemNCSTRrc2JzZ29NZ2pZVTQrNTVU?=
 =?utf-8?B?NnJYT3M3NlQrWUtmQVUzbnhFNDJHc2RIdGJCUDkwSWM4Y0F4bjV1ekc3NzAz?=
 =?utf-8?B?WTM4ZnYrQVBPMXBUZTY2Mm1xUmtpekMwckkvQ3FNYjVjMm5ySDNyNElIdUh4?=
 =?utf-8?B?bVNsdURrb0U0OE5FdDRtSEY5c203Q0FxRXFiaE1mb3YvSDVKL01STFNOdmxO?=
 =?utf-8?B?dHc0endPSU5kTTZnZDdzWFhvN2lrc1ZGWkRpUkFjWkNJcjFaTit6MUpRMm81?=
 =?utf-8?B?YmwyRFRWVWI0N1B3M3A3WGEydEFQVU1JMFBKcGtiMnd3clNPbWNzcnpZeW9C?=
 =?utf-8?B?b285dXlqSWRZLzRNaDBkaDk1R3VKWWpvNlNFMXdwVHdxMmhQSHhaYytnL3hh?=
 =?utf-8?B?V3RWcDM2KzlOMnZQeGhFYUxVcEkvZTJPMDR0NFJKaGRIbXY0cGpUQ2NOem5G?=
 =?utf-8?B?b0VIanVFamFLaDFST3hSSUEyeUVTNzk4OVNkM2FIaXJIU0xWSm9nak9wQjJ6?=
 =?utf-8?B?bVVWMjVQRElSSjROai9aRWltaTZGSUkzc1hINVdNMWQ4ZnI5ck1lSVZsWFNQ?=
 =?utf-8?B?blJIckNNQ2NIYVlsZ21xVGNJZmZWZGR5K3ZPZGZLS0R0WnJMWmFlUUJaMDdy?=
 =?utf-8?B?b2ZwckN0Z0RRckdHREtDK2xhZnl5OW5Wc3I5aUJrc2Urb3hFOXdHUm9zNHpp?=
 =?utf-8?B?M3F6N1dmWGk0SWMyR3NZaGxzME5iQnMxcG9KUk5USDlQcW83M3FYdW54MitX?=
 =?utf-8?B?TzY2cnJRRU9LTVFsZGU4LzZQT2NDSURJQWwrTTNUMmMxbE5PVEh2RzYyUVZo?=
 =?utf-8?B?NGZ5RGFvcHN5R2NiV2lSTXpGTTgzUnNKNmlGR2M2TnUybE9iUkJIaWNrRG4v?=
 =?utf-8?B?ZHJoc2NVU3dTZi9MMTFOU1RnT3lMTzkzQmgyaXo2dHd6SWpLa3JoVVVDS2or?=
 =?utf-8?B?b3R1Sk1yZG4yOWtocm9Fb2tEd0gwakVZMzJSUzBlOXE3N0dRaVNISGhra3V2?=
 =?utf-8?B?aXVWR0ViL1BxdkNhcVVkcThaQTBpZGFGK0MxZndicU5BQmFiMDZWMEcxTEx0?=
 =?utf-8?B?Nk9nRUQvZndEeExERU5GTGdlelRmM3ZLcktqOVpHQ1JMWFA4Wm5QR0hrM0Jl?=
 =?utf-8?B?REF1MHhBTnZLc3A2RSs5L1hDaGJxSkcxUS8yZktCM2U4T3ZWMTgxVStQQ3RD?=
 =?utf-8?B?bjBSbWI0RjlaTGZSOE1SL0E4djFQSThWcXN1dlpTanVqT2dIVGdidy9UU0hq?=
 =?utf-8?B?WklObXpwZEJ4VVhMa2NYWE8zMDg0ZkdCa1AybjhFZ2RVdGNQTFVOTTVVdVY1?=
 =?utf-8?B?VjFldlNUUzN5V3VXZzF2dDJaa29TOWk2dTMzZitQVHZGeWJKS0hTL0tyY0lC?=
 =?utf-8?B?NFpnTXpxZ2Fkc2M3aHQ0enpxbjZ5OGdCVFNqVUo4QmZ4bVBSTGJkQ0dPcjhz?=
 =?utf-8?Q?AvAWQg=3D?=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?TVl1MXNDWkVqS29qdTNzWUZLdkttMS9TZUd6aUxPVEZSMXZNL0hpZG5GUjVU?=
 =?utf-8?B?dGVTbVplb0ZPUHArRy9OQ2xPR0d4SW5oWUZZWVdIWHh3SWdYTmtPMmFxeG85?=
 =?utf-8?B?cC9jQXdtbWkyMlpnQzZEU3FqUjNjR1BYenpBZnNMdGJUQm9wMHZQWEhVa1Zn?=
 =?utf-8?B?NlI2aGFQZW5FM05GMlg2Z3hVd1NvaDNHckRHdkJKR01QbzlMRW9ZYk9wT1NP?=
 =?utf-8?B?VEFuOURISzlyRW1VdTRBZXdoVENEbzFRSmd4ZVdySmViQzRiMkUwbFpoTXRQ?=
 =?utf-8?B?NXJWdUpBL1RtNHlDd3NxR1BtRmd1ZDh3N0tJRkJlNWYzNFdkaXZvNmtNS1FE?=
 =?utf-8?B?UVF1UkVlSXZ1YktKdmlkeC9CSzZYRjZVWFgwbkp4ZnNNYUR1RVhLZTl3T3g4?=
 =?utf-8?B?eE84d2JoY3haKzVBVDZNc2JNRFJZVitOUFRBUXFBVzl3RHBVUGo3bjZGQWdu?=
 =?utf-8?B?VHI1Z0E3Z3ZjRkFyTmxLbmQzQmxyQllpTFF6VGFjQ1c1MVpWa1pRV3YrMmZj?=
 =?utf-8?B?ZUluSDZ2ZXlkUWNJNmZJWXUzMEtBRlVHT290NmUwQ0p4SnNBM3JoZW5LUGRl?=
 =?utf-8?B?MDVDUEpTcHUreFlKN21GNE9FRmM2NTNPZmlXcGVCZWx2QTI2UzNzdk9DdTU2?=
 =?utf-8?B?MlBTNFhFSGIxcWsvVzJCSHpHUW1uL2k4U0VTWEFMVkNvTUpFMjgwWjZzRWpB?=
 =?utf-8?B?aERBbmNnOGY5QzMvYzdzMnNGZXRHYkJjbDAzSG5pY21kbVkxYlMwYlV1TmRs?=
 =?utf-8?B?MFB5Y3F2ZlRYVWQrbVhBdi9iQzlONkQ3UVZSSnl0WlJOZmpHenVRNzNmZnRJ?=
 =?utf-8?B?WUk1OUQzSVc4YTExWGswYmxPRzdNYlFYdU5adWRMdWFOcHB5WU8rWG42aTZH?=
 =?utf-8?B?dm9xOVBRZTlrYk9Ja01VWXVKYkJaMHdHaDkyZFJ6WWF5Vys4T1BGSUtFblFJ?=
 =?utf-8?B?RXNLM09rQmdzem9oSFl4UHAxUGF3cDVqYVV1dFVHMnRlYXZGQ1NLN082cjFt?=
 =?utf-8?B?R1BBbDBydW1IaFBvb1dleDB4TFlibTdnelZsMTJMUUlNc1B3a0ZvSzErazVj?=
 =?utf-8?B?eTNpQjlEUTNneVNrZDVHYkpQUE1JV1RaTW4xcjFPVnM4S0RsbnR2YlNsQVRB?=
 =?utf-8?B?a1F4RHM5bE4xdFFaUXFYSWhzRUx0Vmd2eVM4cUZzc0pQbXgxMEl1Um8rWWRK?=
 =?utf-8?B?UkZIVktyZndlWFcySE1VcW9SZmFmZG9RKzRjVWcyMGNjekpSeGpiM0dDbUsy?=
 =?utf-8?B?bVd0UWFEVEd6MXhZV3UvbUhDYWh4OVNNMlllbFpZbE9HZEliMFBENEd1UGpi?=
 =?utf-8?B?cDFuN0JrVnhHVy9lUHFpU1ZQVndMWW1BOW92U001WVhabDk3SXg2MWJwYmhD?=
 =?utf-8?B?QUlhdjdCRks4S2Rja2k1RWhDVGV1RWluZk9ranYvYXFGMDd4REZvM0NYaVUr?=
 =?utf-8?B?MUx6NGp4OFVkZWtzZVdZSEI2bXNRa01vSzBXa1FSTm8razFqUGY0Y09TeVZm?=
 =?utf-8?B?N1NVOFlxUmsyMFVhZWI3RmR3cXRXRy83d0JadVAyclRDRkx1eTdERCsrZXc5?=
 =?utf-8?B?c3JOOHBDZ25BYURQUmdkSEVSUE5yeEk1WGp0UXpVQytnMnY2dDhEMjRmRjdj?=
 =?utf-8?B?WVdZcWIwWmFmK3V2eG9MQ3ZvTHFwL2c9PQ==?=
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-80345.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SL2P216MB1214.KORP216.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: b71193b1-0b53-4be3-a857-08dd6130d1bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2025 06:40:46.1396 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PS2P216MB1313
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Peter Board via Cygwin <cygwin@cygwin.com>
Reply-To: Peter Board <p_board@hotmail.com>
Content-Type: text/plain; charset="utf-8"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 52C6fIGZ3681648

Hi Cygwin Developers,

In the source code for the session.c Cygwin is using the standard OpenSSH source code, which checks for both the user ID of 0 and a permissions for who can write to the new folder.
Chroot mounting test that I can't get Cygwin to pass
if (st.st_uid != 0 || (st.st_mode & 022) != 0)

I have tried mapping the SYSTEM user and Group via the \etc\passwd and \etc\group files, but I am unable to get a successful setting that will allow Chroot.exe or \etc\sshd_config directive for rehoming an SFTP connection to work.

Match User username
  ChrootDirectory F:\sftproot
  ForceCommand internal-sftp
In the MS OpenSSH source code, they have switched Windows to just doing a basic directory exists check. Would it be possible to implement the same check in the Cygwin source code so that sftp root rehoming works again? I believe it was broken after OpenSSH 8.6 from my research, I have an older Cygwin setup based on OpenSSH 8.3 and the Chroot directive for SFTP root rehoming works fine.
session.c source code

/*
 * Chroot into a directory after checking it for safety: all path components
 * must be root-owned directories with strict permissions.
 */
static void
safely_chroot(const char *path, uid_t uid)
{
      const char *cp;
      char component[PATH_MAX];
      struct stat st;

      if (!path_absolute(path))
            fatal("chroot path does not begin at root");
      if (strlen(path) >= sizeof(component))
            fatal("chroot path too long");

#ifdef WINDOWS
      /* ensure chroot path exists and is a directory */
      if (stat(path, &st) != 0)
            fatal("%s: stat(\"%s\"): %s", __func__,
                  path, strerror(errno));
      if (!S_ISDIR(st.st_mode))
            fatal("chroot path %s is not a directory",
                  path);
#else
      /*
       * Descend the path, checking that each component is a
       * root-owned directory with strict permissions.
       */
      for (cp = path; cp != NULL;) {
            if ((cp = strchr(cp, '/')) == NULL)
                  strlcpy(component, path, sizeof(component));
            else {
                  cp++;
                  memcpy(component, path, cp - path);
                  component[cp - path] = '\0';
            }

            debug3_f("checking '%s'", component);

            if (stat(component, &st) != 0)
                  fatal_f("stat(\"%s\"): %s",
                      component, strerror(errno));
            if (st.st_uid != 0 || (st.st_mode & 022) != 0)
                  fatal("bad ownership or modes for chroot "
                      "directory %s\"%s\"",
                      cp == NULL ? "" : "component ", component);
            if (!S_ISDIR(st.st_mode))
                  fatal("chroot path %s\"%s\" is not a directory",
                      cp == NULL ? "" : "component ", component);

      }
#endif
      if (chdir(path) == -1)
            fatal("Unable to chdir to chroot path \"%s\": "
                "%s", path, strerror(errno));
      if (chroot(path) == -1)
            fatal("chroot(\"%s\"): %s", path, strerror(errno));
      if (chdir("/") == -1)
            fatal_f("chdir(/) after chroot: %s", strerror(errno));
      verbose("Changed root directory to \"%s\"", path);
}

Regards,

Peter Board

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple