Hello list, I created a page to demonstrate, what would happen when chroot root directory is writeable. In fact, code execution is possible already, when only /etc and /bin are writable. I also tried to escape the chroot jail, but that did not work for non-root users. As the 2009 CVE activities mention, that creating hardlinks from outside gives trivial chroot, I showed that any cooperating access from the outside - no matter if it is the same user or another one - leads to root privilege escalation, even without hardlinks, just using the default behaviour of any shared linked SUID binary. hd [0] https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
