SFTP chroot: Writable root
Jakub Jelen
jjelen at redhat.com
Sat Jan 6 01:35:55 AEDT 2018
On Fri, 2018-01-05 at 21:42 +1030, David Newall wrote:
> On 05/01/18 20:06, Jakub Jelen wrote:
> > if the confined user has write access to the chroot directory,
> > there are ways how to get out, gain privileges and or do other
> > nasty things.
>
> I'm not inexperienced with UNIX and unix-like operating systems (30+
> years), and I can't think what these ways are. Although clearly
> off-topic, I wonder if you could expound on this?
I am not experienced to be able to demonstrate all of the cases, but
there might be others who are.
But clearly, the description of the CVE 2009-2904 [1] talks about
attack vector with hardlinks and suid programs. Though I didn't
investigate it further.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
More information about the openssh-unix-dev
mailing list