On Fri, 2018-01-05 at 16:00 +1030, David Newall wrote:> On 05/01/18 02:44, Thomas G?ttler wrote: > > I set up a chroot sftp server [...] > > Is there a way to get both? > > > > - chroot > > > > - writable root > > The source code (sftpd.c) seems to require that the root directory > be > owned by root and not group or world writable, so I think, no, not > unless you make local source changes.Yes, you are right. The chroot directory can not be writable. We were there once and they called it CVE-2009-2904. In short, if the confined user has write access to the chroot directory, there are ways how to get out, gain privileges and or do other nasty things. You should not do that. If you aim for the end-user comfort that he does not have to change directory before uploading/downloading files, there is -d switch to the sftp-server, which changes the start directory after startup automatically. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
On 05/01/18 20:06, Jakub Jelen wrote:> if the confined user has write access to the chroot directory, > there are ways how to get out, gain privileges and or do other > nasty things.I'm not inexperienced with UNIX and unix-like operating systems (30+ years), and I can't think what these ways are.? Although clearly off-topic, I wonder if you could expound on this?
On Fri, 2018-01-05 at 21:42 +1030, David Newall wrote:> On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ > years), and I can't think what these ways are. Although clearly > off-topic, I wonder if you could expound on this?I am not experienced to be able to demonstrate all of the cases, but there might be others who are. But clearly, the description of the CVE 2009-2904 [1] talks about attack vector with hardlinks and suid programs. Though I didn't investigate it further. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote:> On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ years), > and I can't think what these ways are.? Although clearly off-topic, I wonder > if you could expound on this?The attack involves being able to create hard links inside the chroot referring to setuid programs outside the chroot. If you can do that then you can e.g. make a hard link to the external /bin/su, construct your own /etc/passwd and so on, and thereby gain root inside the chroot. Chroots are easily escapable by root (e.g. https://filippo.io/escaping-a-chroot-jail-slash-1/). The particular case Jakub is referring to is: https://bugzilla.redhat.com/show_bug.cgi?id=522141 https://lists.mindrot.org/pipermail/openssh-unix-dev/2008-November/026981.html has some recommendations for making the default directory that users start in be writable in a less dangerous way. -- Colin Watson [cjwatson at debian.org]