bugzilla-daemon at mindrot.org
2025-May-22 01:32 UTC
[Bug 3825] New: SFTP soft link security problem
https://bugzilla.mindrot.org/show_bug.cgi?id=3825
Bug ID: 3825
Summary: SFTP soft link security problem
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sftp
Assignee: unassigned-bugs at mindrot.org
Reporter: bty at mail.ustc.edu.cn
When we use the /usr/local/etc/other_sftppermit.config file to restrict
the directories that users can access via sftp. However, the following
soft links can be successfully created by running the soft link
command:
ln -s /permit_dir/not_exist_dir/../etc/passwd test
You can run the mkdir command to create the not_exist_dir directory.
The consequences are:
1. The test command cannot be used in SFTP to access the /etc/passwd
file without permission.
2. After logging in to the local system through SSH, you can use test
to access /etc/passwd, which poses security risks.
The technical reasons are:
When the realpath function verifies a non-existent path
(/permit_dir/not_exist_dir/../etc/passwd), the return value is null.
However, the two parameters, however, fill in the parsed non-existent
path (/permit_dir/not_exist_dir), which is in the SFTP trustlist.
Therefore, you can create a soft link. If not_exist_dir is created,
realpath can obtain the file to which the soft link points. Therefore,
the file without permission cannot be accessed in SFTP.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 01:44 UTC
[Bug 3825] SFTP soft link security problem
https://bugzilla.mindrot.org/show_bug.cgi?id=3825
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to bitianyuan from comment #0)> When we use the /usr/local/etc/other_sftppermit.config file to
That's not a file that's part of OpenSSH. What is in it?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 3768] New: Whether to add a switch to control whether to enable the hostkeys rotation mechanism.
- [Bug 3656] New: How to fix row hammer attacks?
- Is it possiable to suppress the site-specified messages?
- [Bug 3771] New: Will future versions of openssh provide DDoS attack defense for the DH algorithm?:CVE-2024-41996
- asterisk + cisco 3825 with ISDN