[Bug 3428] New: chroot root 755] I wish there was an option to lower the chroot security. CVE-2009-2904

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 29 20:59:41 AEST 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3428

            Bug ID: 3428
           Summary: chroot root 755] I wish there was an option to lower
                    the chroot security. CVE-2009-2904
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: shj at xenosi.de

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
https://github.com/openssh/openssh-portable/blob/master/session.c#L1336

The directory to be chrooted must be root 755.
It is inconvenient as it is forced without a way to solve it as an
option.
The CVE content says that you can do something with a combination of
hardlink and setuid,
Isn't this a problem related to openssh that occurs when another
account executes?
I would like to take this vulnerability and make it impossible to
detect the existence of other accounts when logged in.
Please make it an option.
thank you.

if(!options->unsecure_chroot_directory) {
if (st.st_uid != 0 || (st.st_mode & 022) != 0)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list