[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: chroot'd SFTP
From: Jefferson Ogata <Jefferson.Ogata () noaa ! gov>
Date: 2007-07-31 21:42:52
Message-ID: 46AFACDC.70108 () noaa ! gov
[Download RAW message or body]
On 2007-07-31 12:00, Richard Storm wrote:
> Thanks, I got now. Local/remote users with shell access can chroot in
> any dir they want. However, is this security problem, since after that
> privs are dropped and unix permissions are in effect...
Yes, generally, allowing users to chroot to a directory of their choice
is a very serious security problem.
If you can chroot to a directory you construct, you can get root privs
by fooling setuid programs using forged shared libraries or library
preloading, explicit reconfiguration (e.g. /etc/passwd, /etc/sudoers),
or various other tactics. Note that if you can construct a directory on
a filesystem that has existing setuid binaries, you can incorporate such
a binary into your chroot area using a hard link.
--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic