[Bug 3825] New: SFTP soft link security problem
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu May 22 11:32:22 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3825
Bug ID: 3825
Summary: SFTP soft link security problem
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sftp
Assignee: unassigned-bugs at mindrot.org
Reporter: bty at mail.ustc.edu.cn
When we use the /usr/local/etc/other_sftppermit.config file to restrict
the directories that users can access via sftp. However, the following
soft links can be successfully created by running the soft link
command:
ln -s /permit_dir/not_exist_dir/../etc/passwd test
You can run the mkdir command to create the not_exist_dir directory.
The consequences are:
1. The test command cannot be used in SFTP to access the /etc/passwd
file without permission.
2. After logging in to the local system through SSH, you can use test
to access /etc/passwd, which poses security risks.
The technical reasons are:
When the realpath function verifies a non-existent path
(/permit_dir/not_exist_dir/../etc/passwd), the return value is null.
However, the two parameters, however, fill in the parsed non-existent
path (/permit_dir/not_exist_dir), which is in the SFTP trustlist.
Therefore, you can create a soft link. If not_exist_dir is created,
realpath can obtain the file to which the soft link points. Therefore,
the file without permission cannot be accessed in SFTP.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list