[Bug 3397] Make internal-sftp the default

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Mar 18 14:10:55 AEDT 2022


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Using a separate binary means that the sftp-server process does not
inherit a memory image of the privileged sshd process (as it would for
a merely fork()ed internal-sftp). 

Inheriting the memory image carries the risk that an error in
sftp-server's attack surface could yield an arbitrary memory read
primitive, and this could be used to break ASLR and other protections
on the parent process, as well as granting access to any otherwise
private data left in the sshd process. Unfortunately the existence of
private data in the sshd address space is hard to reason about,
especially since PAM modules can do pretty much what they feel like.

Now, sftp-server _should_ be pretty free of bugs, but weird
corner-cases that don't exist for other bits of sshd have yielded bad
bugs there before (e.g. https://seclists.org/oss-sec/2014/q4/216)

For this reason, my preference is to keep it as-is

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list