- (djm) OpenBSD CVS Sync

   - djm@cvs.openbsd.org 2008/04/04 05:14:38
     [sshd_config.5]
     ChrootDirectory is supported in Match blocks (in fact, it is most useful
     there). Spotted by Minstrel AT minstrel.org.uk

diff --git a/ChangeLog b/ChangeLog
index a565a04b6e22edad5fbc7474ac33e3ed1bbb2b9c..4941a1deda972baf1d9497d25649535ca5356fbe 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20080518
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2008/04/04 05:14:38
+     [sshd_config.5]
+     ChrootDirectory is supported in Match blocks (in fact, it is most useful
+     there). Spotted by Minstrel AT minstrel.org.uk
+
 20080403
  - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
    time warnings on LynxOS. Patch from ops AT iki.fi

diff --git a/sshd_config.5 b/sshd_config.5
index be0234143f0e7d4e1a65e6a9e21629207eefea85..ea1ed4fe95c941e9dbc31102ae191242d07de33f 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
@@ -210,6 +210,29 @@ in-process sftp server is used (see
 .Cm Subsystem
 for details).
 .Pp
+Please note that there are many ways to misconfigure a chroot environment
+in ways that compromise security.
+These include:
+.Pp
+.Bl -dash -offset indent -compact
+.It
+Making unsafe setuid binaries available;
+.It
+Having missing or incorrect configuration files in the chroot's
+.Pa /etc
+directory;
+.It
+Hard-linking files between the chroot and outside;
+.It
+Leaving unnecessary
+.Pa /dev
+nodes accessible inside the chroot (especially those for physical drives);
+.It
+Executing scripts or binaries inside the chroot from outside, either
+directly or through facilities such as
+.Xr cron 8 .
+.El
+.Pp
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers
@@ -340,6 +363,11 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -563,6 +591,7 @@ keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSApiAuthentication ,
@@ -801,6 +830,11 @@ server.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.
+Note that
+.Dq internal-sftp
+is only supported when
+.Cm UsePrivilegeSeparation
+is enabled.
 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.