Re: SFTP chroot: Writable root

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote:
> On 05/01/18 20:06, Jakub Jelen wrote:
> > if the confined user has write access to the chroot directory,
> > there are ways how to get out, gain privileges and or do other
> > nasty things.
> 
> I'm not inexperienced with UNIX and unix-like operating systems (30+ years),
> and I can't think what these ways are.  Although clearly off-topic, I wonder
> if you could expound on this?

The attack involves being able to create hard links inside the chroot
referring to setuid programs outside the chroot.  If you can do that
then you can e.g. make a hard link to the external /bin/su, construct
your own /etc/passwd and so on, and thereby gain root inside the chroot.
Chroots are easily escapable by root (e.g.
https://filippo.io/escaping-a-chroot-jail-slash-1/).

The particular case Jakub is referring to is:

  https://bugzilla.redhat.com/show_bug.cgi?id=522141

https://lists.mindrot.org/pipermail/openssh-unix-dev/2008-November/026981.html
has some recommendations for making the default directory that users
start in be writable in a less dangerous way.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux