SFTP chroot: Writable root

Jakub Jelen jjelen at redhat.com
Sat Jan 6 01:35:55 AEDT 2018


On Fri, 2018-01-05 at 21:42 +1030, David Newall wrote:
> On 05/01/18 20:06, Jakub Jelen wrote:
> > if the confined user has write access to the chroot directory,
> > there are ways how to get out, gain privileges and or do other
> > nasty things.
> 
> I'm not inexperienced with UNIX and unix-like operating systems (30+ 
> years), and I can't think what these ways are.  Although clearly 
> off-topic, I wonder if you could expound on this?

I am not experienced to be able to demonstrate all of the cases, but
there might be others who are.

But clearly, the description of the CVE 2009-2904 [1] talks about
attack vector with hardlinks and suid programs. Though I didn't
investigate it further.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.



More information about the openssh-unix-dev mailing list