openssh bugs - May 2022 - [Bug 3428] chroot root 755] I wish there was an option to lower the chroot security. CVE-2009-2904

https://bugzilla.mindrot.org/show_bug.cgi?id=3428

            Bug ID: 3428
           Summary: chroot root 755] I wish there was an option to lower
                    the chroot security. CVE-2009-2904
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: shj at xenosi.de

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
https://github.com/openssh/openssh-portable/blob/master/session.c#L1336

The directory to be chrooted must be root 755.
It is inconvenient as it is forced without a way to solve it as an
option.
The CVE content says that you can do something with a combination of
hardlink and setuid,
Isn't this a problem related to openssh that occurs when another
account executes?
I would like to take this vulnerability and make it impossible to
detect the existence of other accounts when logged in.
Please make it an option.
thank you.

if(!options->unsecure_chroot_directory) {
if (st.st_uid != 0 || (st.st_mode & 022) != 0)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3428

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Sorry, but this has been discussed extensively in the past (e.g. this
thread https://marc.info/?t=122641302700006&r=1&w=2) and we do not
intend to make changes to ChrootDirectory permission requirements.

The CVE you mention occurred because Redhat ignored this and patched
their sshd to relax these requirements. It never affected the version
of OpenSSH that we ship.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3428

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Closing bugs from openssh-9.1 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.