AW: chroot directory ownership

Fiedler Roman Roman.Fiedler at
Wed Feb 22 01:34:32 EST 2012

> Just one example.
> If the user is the owner of /, he could move away /etc and replace it with
> its own one, providing a /etc/passwd under its control.
> You may think a user-owned chroot is not a problem for your setup, and it
> may not be, or there may be a way you don't yet known (or opened by a
> config
> change). Having a root-owned / is *much* safer.

With sftp, most likely attack scenario might be local code execution, where user had only sftp access. With user-writeable chroot, minor programming errors might allow such a task, e.g.

* sftp or libc might load locale info or translations from untrusted files (changing normal print to format string vuln)
* Buffer overflows reading locale/translation file info, e.g. by placing a 4GB+something locale files
* A memory error, e.g. double free, in sftp - which would have be caught by libc -- might trigger loading of another shared library, e.g. the result in

These additional attacks are not possible with non-writeable root.

Kind regards,

More information about the openssh-unix-dev mailing list