SFTP chroot: Writable root
Colin Watson
cjwatson at debian.org
Sat Jan 6 01:38:46 AEDT 2018
On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote:
> On 05/01/18 20:06, Jakub Jelen wrote:
> > if the confined user has write access to the chroot directory,
> > there are ways how to get out, gain privileges and or do other
> > nasty things.
>
> I'm not inexperienced with UNIX and unix-like operating systems (30+ years),
> and I can't think what these ways are. Although clearly off-topic, I wonder
> if you could expound on this?
The attack involves being able to create hard links inside the chroot
referring to setuid programs outside the chroot. If you can do that
then you can e.g. make a hard link to the external /bin/su, construct
your own /etc/passwd and so on, and thereby gain root inside the chroot.
Chroots are easily escapable by root (e.g.
https://filippo.io/escaping-a-chroot-jail-slash-1/).
The particular case Jakub is referring to is:
https://bugzilla.redhat.com/show_bug.cgi?id=522141
https://lists.mindrot.org/pipermail/openssh-unix-dev/2008-November/026981.html
has some recommendations for making the default directory that users
start in be writable in a less dangerous way.
--
Colin Watson [cjwatson at debian.org]
More information about the openssh-unix-dev
mailing list