Relaxing strict chroot checks on recent Linux kernels?

Andy Lutomirski luto at amacapital.net
Tue Feb 5 08:45:27 EST 2013


On Mon, Feb 4, 2013 at 1:23 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 4 Feb 2013, Andy Lutomirski wrote:
>
>> > I probably wouldn't want to rely on it
>> > though, as there are probably bad things that can be done even without
>> > raising privs in the process that launches the attack. E.g. rewrite
>> > /etc/ld.so.preload. Remember that ChrootDirectory isn't just for sftp.
>>
>> Sure it is -- I'm using ForceCommand internal-sftp.  I agree that if
>> there's any way to get a non-no_new_privs program in a writable chroot
>> then there's a privilege escalation, but I only want sftp.
>
> You might only want sftp, but like I said: ChrootDirectory is more general
> and has to support other uses.

Do the permission checks have to the be same in the ForceCommand
internal-sftp case, as compared to the general ChrootDirectory case?

--Andy


More information about the openssh-unix-dev mailing list