DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 52CEDXRZ3828930 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 52CEDXRZ3828930 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=xupF8LoI X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BB0F0385842A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1741788811; bh=wPnFLc/cxdWmVO8bnMRFpsUmRi0Wmk1LSMcvsKBlM9s=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=xupF8LoI3h9wt3MDXe5czdXCAaUrNB8vzRI3razrax03i5SzXAcu65bPb3bY9dimT AyKdjYN2EPWRj09VwL1uv6SjLE7UIE64NOKndxxe+zVUtVPw/+Cj1cJJ50S6MAx6xf RPZrVcVzgcf3YlRKiHo8qXTD4TrrQ7sR7m+t1tqY= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D752F3858C31 Date: Wed, 12 Mar 2025 15:13:07 +0100 To: cygwin@cygwin.com Subject: Re: Chrootdirectory / Chroot - not working in OpenSSH sftp directives in \etc\sshd_config or using a custom shell script - MS OpenSSH build has a workaround Message-ID: Mail-Followup-To: cygwin@cygwin.com References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin@cygwin.com Cc: Corinna Vinschen Content-Type: text/plain; charset="utf-8" Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 52CEDXRZ3828930 On Mar 12 06:40, Peter Board via Cygwin wrote: > Hi Cygwin Developers, > > In the source code for the session.c Cygwin is using the standard > OpenSSH source code, which checks for both the user ID of 0 and a > permissions for who can write to the new folder. > Chroot mounting test that I can't get Cygwin to pass > if (st.st_uid != 0 || (st.st_mode & 022) != 0) > > I have tried mapping the SYSTEM user and Group via the \etc\passwd and > \etc\group files, but I am unable to get a successful setting that > will allow Chroot.exe or \etc\sshd_config directive for rehoming an > SFTP connection to work. You know that you have to copy executables and DLLs to be inside the chroot "jail" (but see below)? > Match User username >   ChrootDirectory F:\sftproot Don't use Windows paths. Use Cygwin POSIX paths. No drive letter and forward slashes. >   ForceCommand internal-sftp > In the MS OpenSSH source code, they have switched Windows to just > doing a basic directory exists check. Would it be possible to > implement the same check in the Cygwin source code so that sftp root > rehoming works again? I believe it was broken after OpenSSH 8.6 from > my research, I have an older Cygwin setup based on OpenSSH 8.3 and the > Chroot directive for SFTP root rehoming works fine. chroot(2) is not really supported. It was never more than a shallow experimental emulation keeping track of the chroot dir, and it never worked as desired. We gave up on the chroot emulation and only keep it in for backward compatibility. Don't use it. It only gives a false sense of security. A chroot jail is not supported by the underlying Windows, and the chroot in Windows SSH is just a bad fake either. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple