SFTP chroot: Writable root
David Newall
openssh at davidnewall.com
Sat Jan 6 03:13:51 AEDT 2018
On 06/01/18 01:05, Jakub Jelen wrote:
> the description of the CVE 2009-2904 [1] talks about
> attack vector with hardlinks and suid programs. Though I didn't
> investigate it further.
>
> [1]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
Yes, of course, that requires users to also have access outside of the
chroot, as well as the ability to execute an arbitrary command within
it. It doesn't appear to be a problem where ForceProgram sftp-server is
effective.
I note that Ubuntu 16 (I assume some others, too) refuses to hard link a
file to which the user cannot write. I don't remember if that is
traditional behaviour; I think not; it's probably SELinux.
Even without SELinux's protection, I'm still not seeing a risk when the
user has no access outside of the chroot (by which I include having no
ally with said access). Is there more to the risk?
Bringing this back to on topic, to the question that was originally
asked: the above reference shows that there is more to consider than
just what's in a chroot, and so providing a writable root is not to be
encouraged, however, if it is essential to allow an SFTP account to have
write access to its root, (I doubt that there is an essential need),
putting the chroot on a separate filesystem, mounted with noexec, should
also be considered.
More information about the openssh-unix-dev
mailing list