Am 07.01.2018 um 19:41 schrieb halfdog:
Hello list, I created a page to demonstrate, what would happen when chroot root directory is writeable. In fact, code execution is possible already, when only /etc and /bin are writable. I also tried to escape the chroot jail, but that did not work for non-root users. As the 2009 CVE activities mention, that creating hardlinks from outside gives trivial chroot, I showed that any cooperating access from the outside - no matter if it is the same user or another one - leads to root privilege escalation, even without hardlinks, just using the default behaviour of any shared linked SUID binary. hd [0] https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/
Hello halfdog, I was not aware that a sftp-only access does execute code/scripts from these directories. I look at this from the point of view of a naive sftp user. If a naive sftp user get access to a machine, then he thinks the directory belongs to him and he can write and delete whatever he wants. I don't know much about the internals of sftp, but I think the point of view of a naive sftp user is valid. I guess there is no distinction between root-directory for data and root-directory for config/code up to now. This missing distinction leads to execution of data, which is (of course) a major security issue. If you compare it to webDAV, NFS or SMB. There would be something really wrong if the WebDAV/NFS/SMB server would suddenly execute uploaded data. Don't get me wrong, I am a happy OpenSSH user since several years. I use it daily and it is rock solid. Thank you very much for this great tool! Regards, Thomas Güttler -- Thomas Guettler http://www.thomas-guettler.de/ I am looking for feedback: https://github.com/guettli/programming-guidelines _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev