chroot'd SFTP

Jefferson Ogata Jefferson.Ogata at
Wed Aug 1 07:42:52 EST 2007

On 2007-07-31 12:00, Richard Storm wrote:
> Thanks, I got now. Local/remote users with shell access can chroot in
> any dir they want. However, is this security problem, since after that
> privs are dropped and unix permissions are in effect...

Yes, generally, allowing users to chroot to a directory of their choice
is a very serious security problem.

If you can chroot to a directory you construct, you can get root privs
by fooling setuid programs using forged shared libraries or library
preloading, explicit reconfiguration (e.g. /etc/passwd, /etc/sudoers),
or various other tactics. Note that if you can construct a directory on
a filesystem that has existing setuid binaries, you can incorporate such
a binary into your chroot area using a hard link.

Jefferson Ogata <Jefferson.Ogata at>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list