feature request & patch submit: chroot(2) in sshd

Birger Toedtmann birger at takatukaland.de
Sun Oct 29 23:28:05 EST 2000 

On Sun, Oct 29, 2000 at 01:52:58AM -0500, Hank Leininger wrote:
> On 2000-10-24, Birger Toedtmann <birger at takatukaland.de> wrote:
> 
> > Below is a tiny patch to 2.2.0p1 which enhances the sshd-config
> > by two options and, when set, places all users / users of a certain group
> > immediately in their sandbox.
> 
> Cool.  Hm...
> 
> > +       /* Do a chroot, if configured. */
> > +       if (options.use_chroot) {
> > +               if ((!options.chroot_group)
> > +                               || (options.chroot_group ==pw->pw_gid)) {
> > +                       debug("Doing chroot to %s.",pw->pw_dir); +       
> > +                       if (chroot(pw->pw_dir)) {
> > +                               log("Requested chroot failed: [%d] %s\n", 
> > +                               errno,strerror(errno));
> > +                               exit(1);
> > +                       }
> > +                       pw->pw_dir = "/";
> > +               }
> > +       }
> 
> Aren't you missing a 'chdir("/")' in there?  Else you leak '.' outside the
> chroot jail.  (Unless a chdir is guaranteed to be done between here, and
> when user processes get control?)

Well, right beneath this code session.c switches uid/gid and then sets the 
environment. $HOME is set to pw->pw_dir (already set to "/") and 
$HOME/.ssh/environment gets its share. After this, the chdir() is made....

...hmmm - do you think one might be able to fool .ssh/environment into leaking
information about "."? If this could be done you are quite right about doing 
the chdir() right here, so maybe it should look like this:

> > +                       if (chroot(pw->pw_dir)) {
> > +                               log("Requested chroot failed: [%d] %s\n",
> > +                               errno,strerror(errno));
> > +                               exit(1);
> > +                       }
> > +                       pw->pw_dir = "/";
*                           chdir(pw->pw_dir);
> > +               }
> > +       }

Then chdir() is made twice, which I found somewhat irritating, but one should
not place beautified code above security ;-)

Alas: I did not manage to get $HOME/.ssh/enviroment into this kind of "."-
intelligence-gathering, just got me curious. Any suggetions?

Regards,

Birger

--
  Birger Toedtmann, Bielefeld, Germany.
  00 83 E2 57 EC 60 0B 1C  D3 18 AE 2A 40 55 81 22

More information about the openssh-unix-dev mailing list