[Bug 3715] safely_chroot is a little too restrictive: noexec or nosuid should be enough
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Aug 1 00:42:52 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3715
--- Comment #9 from Joshua Hudson <joshudson at gmail.com> ---
"there's a fair bit of stuff in /etc that can be referenced quite late
in a program's execution "
Hmmm; do you mean while the sshd process hasn't dropped privileges yet?
I went looking and found something very interesting:
1) setusercontext(..., LOGIN_SETUMASK) is almost certainly meant to be
applied outside the jail not inside it. However that's not a function
on my system so I could not detect the problem via testing.
2) In do_child we have this block:
if (s->authctxt->force_pwdchange) {
do_setusercontext(pw, s-> authctxt->role);
child_close_fds(ssh);
do_pwdchange(s);
exit(1);
}
There's no way that works correctly with any ChrootDirectory value
other than none, as do_pwdchange will be called inside the chroot jail
rather than outside of it. At least it has a safe failure mode. it
calls execl for passwd (no PATH search), which won't be there.
Any other failure modes must happen after uid has been set to the
user's value. While I'm pretty sure they can totally mess up the sftp
server with a hostile /etc the user's really only attacking themselves.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list