Relaxing strict chroot checks on recent Linux kernels?
Damien Miller
djm at mindrot.org
Tue Feb 5 08:23:20 EST 2013
On Mon, 4 Feb 2013, Andy Lutomirski wrote:
> > I probably wouldn't want to rely on it
> > though, as there are probably bad things that can be done even without
> > raising privs in the process that launches the attack. E.g. rewrite
> > /etc/ld.so.preload. Remember that ChrootDirectory isn't just for sftp.
>
> Sure it is -- I'm using ForceCommand internal-sftp. I agree that if
> there's any way to get a non-no_new_privs program in a writable chroot
> then there's a privilege escalation, but I only want sftp.
You might only want sftp, but like I said: ChrootDirectory is more general
and has to support other uses.
-d
More information about the openssh-unix-dev
mailing list