On 06/01/18 01:05, Jakub Jelen wrote:
the description of the CVE 2009-2904 [1] talks about attack vector with hardlinks and suid programs. Though I didn't investigate it further. [1]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
Yes, of course, that requires users to also have access outside of the chroot, as well as the ability to execute an arbitrary command within it. It doesn't appear to be a problem where ForceProgram sftp-server is effective.
I note that Ubuntu 16 (I assume some others, too) refuses to hard link a file to which the user cannot write. I don't remember if that is traditional behaviour; I think not; it's probably SELinux.
Even without SELinux's protection, I'm still not seeing a risk when the user has no access outside of the chroot (by which I include having no ally with said access). Is there more to the risk?
Bringing this back to on topic, to the question that was originally asked: the above reference shows that there is more to consider than just what's in a chroot, and so providing a writable root is not to be encouraged, however, if it is essential to allow an SFTP account to have write access to its root, (I doubt that there is an essential need), putting the chroot on a separate filesystem, mounted with noexec, should also be considered.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev