ftp-server patch - restrict user to directory

Jefferson Ogata Jefferson.Ogata at noaa.gov
Mon Nov 12 10:52:59 EST 2007

On 2007-11-11 23:29, Alain Williams wrote:
> 	/* It is possible, if unlikely, that the restricted directory will have been specified with
> 	 * a symlink or .. in it. That will totally blow comparisions in allowed_access(). Resolve this.
> 	 */

The likelihood that the restricted directory path will contain a symlink
or .. is completely unknown to your patch. In some organizations, the
likelihood may be as high as 1.

realpath() requires readability on all parent directories, which is also
not guaranteed.

You could get closer to your desired behavior by doing a stat on the
restricted directory, then iteratively calling stat(2) the directory
containing the resolved name and checking for identity (device+inode)
with the restricted directory, working your way back directory
components until either identity is found (allow) or the resolved path
is empty (disallow). This emulates what realpath(3) does without having
to generate the actual return path, and works because you can stat(2) a
directory you can traverse but not read.

Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list