OpenSSH ChrootDirectory man page remark on safety

In the sshd_config(5) man page in my system I found this remark in the section about ChrootDirectory:

For safety, it is very important that the directory hierarchy be prevented from modification by other processes on the system (especially those outside the jail). Misconfiguration can lead to unsafe environments which sshd(8) cannot detect.

Is there anywhere I can read about the associated vulnerabilities if some external process does modifications to the directory hierarchy?

I'm thinking about setting up a SFTP server where I can drop a few files to share with external users, restricting access to specific target directories to each of them.

While these users would be restricted to using SFTP only and only to those directories (thanks to ChrootDirectory), I would still be able to put the files in place from time to time, which would happen through other processes on the system which would be outside of the jail.

I wonder if this simple use case can lead to some vulnerability too - any light would be very appreciated!


Solution 1:

The chrootdirectory requires root owner and group ("At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.").

SFTP is among the simplest to configure, but setting the directory permissions to 755 and creating a subdirectory with 775 permissions with group something like where group is only the users for the processes that require access.

drwxr-xr-x root root         /var/chrootdir
drwxrwxr-x root processgroup /var/chrootdir/sftpdrop

If the processes cannot be trusted to save files to the location, a different process could be used, even a cron job, to save files in the transfer directory.

These kinds of security questions may get lots of responses based on various different experience, but the obvious problem appears to me to be a process saving information inside of the chroot directory that is not suppose to be available to the chrooted users, or reading information inside of the chrootdirectory that can be modified by the chrooted user.