sftp-server and chroot

Dan Astoorian djast at cs.toronto.edu
Fri Dec 28 02:18:19 EST 2001


On Thu, 27 Dec 2001 09:02:13 EST, "Jonas Lehmann" writes:
> 
> 'sftpsh' is primitive and only performs two tasks.  First it changes the 
> root directory to the user's home directory (chroot($HOME)) and then it 
> exec's the 'sftp-server'.   Since chroot() can only be invoked successfully 
> as root, 'sftpsh' unfortunately has to run as root.  The first thing 
> 'sftpsh' does is chroot() followed by resetting the uid/gid.

This program, like the sftp-server.c patch recently posted to this list,
is potentially a huge security hole, and IMHO should not be used in its
present form.

There's a *reason* you have to be root in order to use the chroot()
system call.

This program lets any user on the system chroot() to an arbitrary
directory under the user's control by setting the HOME environment
variable.  This can quickly lead to a root compromise, e.g., by creating
hard links to privileged programs which expect to be run under the real
filesystem root (or at least a secure one).

Also:
- the program doesn't check whether the chdir() after the chroot is
  successful;
- the code which attempts to reset the uid/gids has a number of
  problems, which I won't go into here.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list