Re: SFTP chroot: Writable root

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 2018-01-05 at 16:00 +1030, David Newall wrote:
> On 05/01/18 02:44, Thomas Güttler wrote:
> > I set up a chroot sftp server [...]
> > Is there a way to get both?
> > 
> >  - chroot
> > 
> >  - writable root 
> 
> The source code (sftpd.c) seems to require that the root directory
> be 
> owned by root and not group or world writable, so I think, no, not 
> unless you make local source changes.

Yes, you are right. The chroot directory can not be writable. We were
there once and they called it CVE-2009-2904. In short, if the confined
user has write access to the chroot directory, there are ways how to
get out, gain privileges and or do other  nasty things. You should not
do that.

If you aim for the end-user comfort that he does not have to change
directory before uploading/downloading files, there is -d switch to the
sftp-server, which changes the start directory after startup
automatically.

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux