[Bug 1616] New: root owned empty subdirs are deletable by chroot users

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jul 1 06:46:07 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1616

           Summary: root owned empty subdirs are deletable by chroot users
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: giulius at gmail.com


Successfully created a chroot sftp user and his structure:

nomad:~# grep prova /etc/passwd
prova:x:1000:107:,,,:/:/bin/false

nomad:~# grep ftponly /etc/group
sftponly:x:107:

nomad:~# less /usr/local/test_openssh/etc/sshd_config
...
Subsystem sftp internal-sftp
Match User prova
  ForceCommand internal-sftp
  ChrootDirectory /siuvar/chroots/prova/
  AllowTcpForwarding no
  X11Forwarding no
...

I already know it is not possible for the user prova to write directly
into the chroot dir "prova" :-( in which I've created a subdir "www":

drwxr-xr-x 9 root  root     4096 2009-06-30 22:31 .
drwxr-xr-x 3 root  root     4096 2009-06-30 21:34 ..
drwxr-xr-x 2 prova sftponly 4096 2009-06-30 22:07 www

The bug: is always possible by prova user via FileZilla client to
delete any "www" subdir if empty and owned by users other than prova.
If the subdir contains root files (or files owned by users other than
prova) the subdir is not deletable.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list