[scponly] Is it dangerous if user can write to home if chrooted and if yes could oplease anybody tell why?

Paul Hyder Paul.Hyder at noaa.gov
Mon Jan 31 20:18:56 EST 2005


The default configuration for ssh has the keys in the users .ssh directory.
You absolutely do not want them to have write access to the home directory
if that is the case.  Our sshd configuration has the keys in a different
location so we don't care much about attempts to modify .ssh.

Of course, we still don't let the users have a writeable home directory
but that's more about the fact that they might want it to be their system
home directory and we don't want that available on our scponly host.  It
is also much faster to just create an empty home directory.

I hope others will be able to supply other reasons for a non-writeable
home directory.

Yes, home directory owned by root and readable not writeable for the
user works.  In our case the readable and/or writeable space provided
for the user is always somewhere other than the home directory.
	Paul Hyder
	NOAA Forecast Systems Lab
	Boulder, CO

Peter Holm wrote:
> Hi,
> 
> I read in sources of scponly that it is not a good thing to have user
> be able to write to his home if it is a chrooted installation.
> Simething about .ssh is written there.
> 
> Could please anybody explain this? Why is it not good to have user
> write to hie home? is it just the .ssh file? What could happen then?
> 
> If the file is ownedby root but readable, not writable for user, is it
> ok then? 
> 
> Or are there more dangers with writable user dirs?
> 
> Thanks for your attention!
> 
> Peter
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly



More information about the scponly mailing list