chroot howto for sftp-server

Dan Astoorian djast at cs.toronto.edu
Thu Dec 20 02:46:30 EST 2001


On Wed, 19 Dec 2001 02:32:25 EST, "MH - Entwicklung" writes:
> 
> I can see a problem for "trusted" users who login via ssh then 
> manipulate their $HOME and then invoke the chrooted sftp-server. They 
> will be able to access directories they shouldn't have access to. And if 
> file permissions under this directories are set in a lax way this really 
> means that users can access files they shouldn't see at all.

The problem is greater than this: it's an avenue of attack for these
users to *crack root*.  Applying your patch and making sftp-server
setuid-root makes the system less secure, not more; and forgive my
bluntness, but providing instructions that advise people to apply a
half-assed patch with no mention of the potential holes it opens up is
just plain irresponsible.

> The only way to prevent this is to give no shell login to anybody. 

No, a better way to prevent the trusted-$HOME problem is to use the
/etc/passwd entry (i.e., getpwnam(getlogin()) or getpwuid(getuid()))
instead of an environment variable which the user can manipulate.

Ideally there should still be additional sanity checks on the target
directory, but at least this puts the responsibility for ensuring that
the target is secure into the hands of the system administrator.

On that topic, your instructions advise controlling the permissions and
ownership of the ~/.ssh directory, but doesn't talk about setting up and
controlling the chroot() target or the user's home directory itself at
all.

Also, I think there's already been consensus here that it would be wiser
to chroot() to a subdirectory of the user's home directory, rather than
the home directory itself, in order to avoid an entire class of attacks
(such as manipulating ~/.ssh, uploading dot files which may be used to
cause other programs to run commands, e.g., ~/.bashrc, ~/.forward,
etc.).

> If I'm completely wrong with trusting $HOME please let me know.

You're completely wrong with trusting $HOME.  :-)

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list