from the practicing-safe-sftp dept.
The SFTP component in OpenSSH provides a chroot-feature for hardening. It is stated in the documentation that the chroot directory must not be writable by the user account, though specific files and subdirectories within it are allowed. Some people were questioning the read-only restriction. halfdog documents some analysis which is the result of discussions on openssh-dev mailing list. Here are some arguments about why these restrictions still makes sense in 2018.