Hello, I've tried many places, finally ending up here to ask my question: why is it so vital that the directory used with the ChrootDirectory directive is root-owned? Like many people I'm trying to use this in a webhosting environment where several users get sftp-only access to some directory, usually something like /home/user/web/part-of-website. I can be sure that there are no setuid binaries in /home, so that rules out some possible vulnerabilities. Could anyone tell me what other problems a non-root-owned chroot directory could create? Thanks! (Please CC me). Alexander
Alexander Prinsier wrote:> Hello, > > I've tried many places, finally ending up here to ask my question: why > is it so vital that the directory used with the ChrootDirectory > directive is root-owned? > > Like many people I'm trying to use this in a webhosting environment > where several users get sftp-only access to some directory, usually > something like /home/user/web/part-of-website. > > I can be sure that there are no setuid binaries in /home, so that rules > out some possible vulnerabilities. Could anyone tell me what other > problems a non-root-owned chroot directory could create? > > Thanks! > > (Please CC me). > > Alexander > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >I would say this pretty much answers your questions ... http://unixwiz.net/techtips/chroot-practices.html
On Sat, 28 Mar 2009, Alexander Prinsier wrote:> Hello, > > I've tried many places, finally ending up here to ask my question: why > is it so vital that the directory used with the ChrootDirectory > directive is root-owned? > > Like many people I'm trying to use this in a webhosting environment > where several users get sftp-only access to some directory, usually > something like /home/user/web/part-of-website. > > I can be sure that there are no setuid binaries in /home, so that rules > out some possible vulnerabilities. Could anyone tell me what other > problems a non-root-owned chroot directory could create?Basically because having a non-root-user-writable root directory (i.e. what chroot(2) without a root-ownership test gives you) can be exploited through setuid programs, and because sshd has no way of determining whether setuid programs exist in the chroot. -d
Alexander Prinsier wrote:> I've tried many places, finally ending up here to ask my question: why > is it so vital that the directory used with the ChrootDirectory > directive is root-owned?Thanks everyone for your valuable replies (and the off-list discussions). And to make the archive complete: you can just comment a block of code in safely_chroot() in session.c to remove the root-ownership check. I hope this will be configurable some day. The introduction of internal-sftp was one big step in the good direction, this option would make it complete. Alexander
Seemingly Similar Threads
- ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
- Bug#514335: logcheck-database: Nagios rules don't match the new nagios3 version
- chroot directory must be root owned
- ?"Please enhance SSH so that sftp chrooted user sessions are loged in"
- scp and key login