search for: opensshsftpchrootcodeexecut

On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote: > On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ years), > and I can't think what

...perating > access from the outside - no matter if it is the same user or > another one - leads to root privilege escalation, even without > hardlinks, just using the default behaviour of any shared linked > SUID binary. > > hd > > [0] https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/ > Hello halfdog, I was not aware that a sftp-only access does execute code/scripts from these directories. I look at this from the point of view of a naive sftp user. If a naive sftp user get access to a machine, then he thinks the directory belongs to him and he can write and delete w...

...ing > access from the outside - no matter if it is the same user or > another one - leads to root privilege escalation, even without > hardlinks, just using the default behaviour of any shared linked > SUID binary. > > hd > > [0] > https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution > / Thank you for the article describing this issue in understandable manner. What struck my attention is the reading of the /etc/ssh/sshrc from chroot. Is it even correct that OpenSSH is searching for the /etc/ssh/sshrc file AFTER the chroot? No, I am not advocating the writable chroots,...