[Bug 3825] New: SFTP soft link security problem

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 22 11:32:22 AEST 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3825

            Bug ID: 3825
           Summary: SFTP soft link security problem
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sftp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bty at mail.ustc.edu.cn

When we use the /usr/local/etc/other_sftppermit.config file to restrict
the directories that users can access via sftp. However, the following
soft links can be successfully created by running the soft link
command:
ln -s /permit_dir/not_exist_dir/../etc/passwd test
You can run the mkdir command to create the not_exist_dir directory.
The consequences are:
1. The test command cannot be used in SFTP to access the /etc/passwd
file without permission.
2. After logging in to the local system through SSH, you can use test
to access /etc/passwd, which poses security risks.
The technical reasons are:
When the realpath function verifies a non-existent path
(/permit_dir/not_exist_dir/../etc/passwd), the return value is null.
However, the two parameters, however, fill in the parsed non-existent
path (/permit_dir/not_exist_dir), which is in the SFTP trustlist.
Therefore, you can create a soft link. If not_exist_dir is created,
realpath can obtain the file to which the soft link points. Therefore,
the file without permission cannot be accessed in SFTP.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list