[TriLUG] sftp without shell access?
Matt McGrievy
mcgrievy at email.unc.edu
Wed Dec 7 11:21:38 EST 2005
I've used sftp-server as the shell for users, but I have not implemented
the chroot. And yes, the wandering around is limited to places where
they have proper permissions, but by default that's going to include
places like /etc. So if the goal is *just* to limit full shell access
and you basically trust the users, the sftp-server shell will work. If
you're really interested in fully locking things down, however, chroot
is probably worth the trouble.
-Matt
Scott Lundgren wrote:
>>
>> One option is to set the shell to be the sftp-server (don't forget to
>> add it to /etc/shells). The only problem with that is it doesn't
>> chroot them. So they could still wander around the file system with
>> sftp client. You can find various patches to implement the chroot if
>> you google for "sftp chroot." One of them is here:
>
>
> Matt,
>
> have you used this tool? The being able to wander around the filesystem
> concerns me. Would this wandering only be confined to where their
> permissions allowed read access?
>
> thanks,
> Scott
>
More information about the TriLUG
mailing list