openssh unix dev - Sep 2010 - chroot directory must be root owned

Hi Team,

I am just a curious individual user who reviewed the OpenSSH;not working for
a company.
I was just wondering why there is a restriction for chroot directory to be
owned by root. The line of code below in session.c show them.
The basic UNIX security permissions provide a sufficient access control.
Have you guys found a way to bypass security if the directory is not owned
by root?


-        * Descend the path, checking that each component is a
-        * root-owned directory with strict permissions.
-        */
-       for (cp = path; cp != NULL;) {
-               if ((cp = strchr(cp, '/')) == NULL)
-                       strlcpy(component, path, sizeof(component));
-               else {
-                       cp++;
-                       memcpy(component, path, cp - path);
-                       component[cp - path] = '\0';
-               }
-
-               debug3("%s: checking '%s'", __func__,
component);
-
-               if (stat(component, &st) != 0)
-                       fatal("%s: stat(\"%s\"): %s",
__func__,
-                           component, strerror(errno));
-            *   if (st.st_uid != 0 || (st.st_mode & 022) != 0)*
-                       fatal("bad ownership or modes for chroot "
-                           "directory %s\"%s\"",
-                           cp == NULL ? "" : "component ",
component);


Many Thanks,
Indra G

igoh wrote:
> Have you guys found a way to bypass security if the directory is not owned
> by root?
  https://bugzilla.redhat.com/show_bug.cgi?id=522141

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904

  http://unixwiz.net/techtips/chroot-practices.html

Bob