AW: chroot directory ownership
Roman.Fiedler at ait.ac.at
Wed Feb 22 01:34:32 EST 2012
> Just one example.
> If the user is the owner of /, he could move away /etc and replace it with
> its own one, providing a /etc/passwd under its control.
> You may think a user-owned chroot is not a problem for your setup, and it
> may not be, or there may be a way you don't yet known (or opened by a
> change). Having a root-owned / is *much* safer.
With sftp, most likely attack scenario might be local code execution, where user had only sftp access. With user-writeable chroot, minor programming errors might allow such a task, e.g.
* sftp or libc might load locale info or translations from untrusted files (changing normal print to format string vuln)
* Buffer overflows reading locale/translation file info, e.g. by placing a 4GB+something locale files
* A memory error, e.g. double free, in sftp - which would have be caught by libc -- might trigger loading of another shared library, e.g. the result in http://www.cvedetails.com/cve/CVE-2012-0031/
These additional attacks are not possible with non-writeable root.
More information about the openssh-unix-dev