DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 52CEDXRZ3828930
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 52CEDXRZ3828930
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=xupF8LoI
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BB0F0385842A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1741788811;
	bh=wPnFLc/cxdWmVO8bnMRFpsUmRi0Wmk1LSMcvsKBlM9s=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=xupF8LoI3h9wt3MDXe5czdXCAaUrNB8vzRI3razrax03i5SzXAcu65bPb3bY9dimT
	 AyKdjYN2EPWRj09VwL1uv6SjLE7UIE64NOKndxxe+zVUtVPw/+Cj1cJJ50S6MAx6xf
	 RPZrVcVzgcf3YlRKiHo8qXTD4TrrQ7sR7m+t1tqY=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D752F3858C31
Date: Wed, 12 Mar 2025 15:13:07 +0100
To: cygwin AT cygwin DOT com
Subject: Re: Chrootdirectory / Chroot - not working in OpenSSH sftp
 directives in \etc\sshd_config or using a custom shell script - MS OpenSSH
 build has a workaround
Message-ID: <Z9GWc_stGr69GXPu@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <SL2P216MB121411360C11CDE2B8D7CCFE9AD02 AT SL2P216MB1214 DOT KORP216 DOT PROD DOT OUTLOOK DOT COM>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <SL2P216MB121411360C11CDE2B8D7CCFE9AD02@SL2P216MB1214.KORP216.PROD.OUTLOOK.COM>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 52CEDXRZ3828930

On Mar 12 06:40, Peter Board via Cygwin wrote:
> Hi Cygwin Developers,
> 
> In the source code for the session.c Cygwin is using the standard
> OpenSSH source code, which checks for both the user ID of 0 and a
> permissions for who can write to the new folder.
> Chroot mounting test that I can't get Cygwin to pass
> if (st.st_uid != 0 || (st.st_mode & 022) != 0)
> 
> I have tried mapping the SYSTEM user and Group via the \etc\passwd and
> \etc\group files, but I am unable to get a successful setting that
> will allow Chroot.exe or \etc\sshd_config directive for rehoming an
> SFTP connection to work.

You know that you have to copy executables and DLLs to be inside the
chroot "jail" (but see below)?

> Match User username
>   ChrootDirectory F:\sftproot

Don't use Windows paths.  Use Cygwin POSIX paths.  No drive letter
and forward slashes.

>   ForceCommand internal-sftp
> In the MS OpenSSH source code, they have switched Windows to just
> doing a basic directory exists check. Would it be possible to
> implement the same check in the Cygwin source code so that sftp root
> rehoming works again? I believe it was broken after OpenSSH 8.6 from
> my research, I have an older Cygwin setup based on OpenSSH 8.3 and the
> Chroot directive for SFTP root rehoming works fine.

chroot(2) is not really supported.  It was never more than a shallow
experimental emulation keeping track of the chroot dir, and it never
worked as desired.

We gave up on the chroot emulation and only keep it in for backward
compatibility.  Don't use it.  It only gives a false sense of security.
A chroot jail is not supported by the underlying Windows, and the
chroot in Windows SSH is just a bad fake either.


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple