sshd_config ChrootDirectory ambiguity...

Scott Neugroschl scott_n at xypro.com
Fri Nov 6 06:48:17 EST 2009


Quoth Robert Waite:
> 
> Under "ChrootDirectory" there is a line that says,
> 
> "This path, and all its components, must be root-owned directories
> that are not writable by any other user or group."
> 
> When I first read this "all its components" seemed to mean that
> all directories and files within this directory must be root owned
> and root only writable. This seemed odd as I would not be able
> to allow uploads if this was true.
> 
> In this ChrootDirectory I have three folders. I set them all to be
> owned by a non root user and writable by a group. When I log in, it
> works just as I hoped and I am able to upload now.
> I would have figured at the very least that "all its components" would
> mean that direct children of the ChrootDirectory would have to have
the
> above mentioned restrictions. However, it did work.
> 
> So my question is... what is meant by "all its components"?

[[SAN]] 
If the chrooted path is /a/b/c/d/e, the all of /a, /a/b, /a/b/c,
/a/b/c/d,
and /a/b/c/d/e must be owned by root, and only root writable.

Otherwise, it's possible to spoof, by $EVILUSER renaming /a/b/c to
/a/b/c.real
and putting their own evil /a/b/c in place.

I did this once (with management permission), when we needed root access
to a
system, the admin wasn't available, and he'd foolishly left / as world
writeable.
I renamed /etc, created a new /etc with a dummy /etc/passwd, and logged
in as root.

Ugly, and should never have been possible, but it worked.



More information about the openssh-unix-dev mailing list