Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard
verified publisher icon PowerShell

Allow following symlinks/junctions or chroot into multiple directories/drives

Open Alfly-Alyx opened this issue 4 months ago • 6 comments

Summary of the new feature / enhancement

Hello OpenSSH team,

First of all, thank you very much for your excellent work on this essential project!

I would like to kindly suggest a feature regarding the chroot functionality. Would it be possible to add an option to allow following symbolic links, junctions, or mount points that point outside of the chroot? Alternatively, supporting chrooting into multiple directories simultaneously could also address this use case.

This would help in scenarios where accessing shared resources outside the chroot is necessary while maintaining system security and isolation.

Thank you in advance for your consideration, and keep up the great work!

Best regards,

Proposed technical implementation details (optional)

No response

Alfly-Alyx avatar Aug 12 '25 19:08 Alfly-Alyx

The chroot function is implemented in the kernel, not in sshd. Your suggestion would therefore require a change to the operating system.

https://github.com/PowerShell/openssh-portable/blob/139a1b413d70f1cfd1c88c729c31da72cd8826fa/contrib/win32/win32compat/misc.c#L1574

mgkuhn avatar Aug 24 '25 23:08 mgkuhn

So, if I understand it seems impossible on Windows.

Alfly-Alyx avatar Aug 25 '25 05:08 Alfly-Alyx

Have you tried hard links? If those work, find a Windows equivalent of the Unix command cp -l -r, which creates hard links of files instead of copies. The source must be on the same volume.

mgkuhn avatar Aug 25 '25 08:08 mgkuhn

I tried:

Junction

Symlink

Mount point

Shortcut

But hard links aren't really what I need.

The setup involves a server with multiple hard drives. Some users are placed in a chroot environment to prevent access to the entire server disk. Links are created only to the hard drives they need to access. Not all hard drives are accessible to every user, and each user has access to different drives. There's too much data on the drives to copy everything into the chroot.

Junctions, symlinks, and shortcuts can't be accessed from within the chroot. Mount points allow visibility of the files, but it's impossible to open, paste, or copy them. But I have no choice to make the entire hard drives accessible, and sometimes restrict access to specific folders using ACLs. Junctions or symlinks could help avoid this and make only right folders accessible.

Without chroot, everything works fine, but hoping the ACLs will be effective enough.

Alfly-Alyx avatar Aug 25 '25 16:08 Alfly-Alyx

Junctions, symlinks and mounted folders are all the same underlying mechanism, namely reparse points, and I suspect none of those can by-pass chroot jails. That's because they are all implemented by minifilters that themselves are running within the chroot jail when they try to access the underlying file-system driver. You would need to find some minifilter that does not just transform accesses to the local file-system driver, but that talks via some other inter-process communication mechanism to some file-system server outside the chroot jail, e.g. via some kind of network file-system protocol, such as SMB, NFS, SSHFS or 9P. You would have to give such a mini-filter contact details that are not in form of a path on the local filesystem. (I wonder if you could create your own using something like WinFsp.)

mgkuhn avatar Aug 25 '25 17:08 mgkuhn

Junctions, symlinks, and mounted folders are all based on the same underlying mechanism: yes. The only difference is that I can't access the file using the first two, but I can access it through mounted folders. Still, nothing more—the chroot jail works too well.

I wonder if you could create your own using something like WinFsp : I think it's beyond my skill level.

Alfly-Alyx avatar Aug 25 '25 19:08 Alfly-Alyx