[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssh-unix-dev
Subject:    AW: chroot directory ownership
From:       Fiedler Roman <Roman.Fiedler () ait ! ac ! at>
Date:       2012-02-21 14:34:32
Message-ID: 9F69795E29C890408AC2DAF646C89BB379D12D3DD5 () MAILBOX ! arc ! local
[Download RAW message or body]

> DES
> Just one example.
> If the user is the owner of /, he could move away /etc and replace it with
> its own one, providing a /etc/passwd under its control.
> 
> You may think a user-owned chroot is not a problem for your setup, and it
> may not be, or there may be a way you don't yet known (or opened by a
> config
> change). Having a root-owned / is *much* safer.

With sftp, most likely attack scenario might be local code execution, where user had \
only sftp access. With user-writeable chroot, minor programming errors might allow \
such a task, e.g.

* sftp or libc might load locale info or translations from untrusted files (changing \
                normal print to format string vuln)
* Buffer overflows reading locale/translation file info, e.g. by placing a \
                4GB+something locale files
* A memory error, e.g. double free, in sftp - which would have be caught by libc -- \
might trigger loading of another shared library, e.g. the result in \
http://www.cvedetails.com/cve/CVE-2012-0031/

These additional attacks are not possible with non-writeable root.

Kind regards,
Roman
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic