This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Finally managed to create a jailed SFTP server, but how secure?


TheO wrote:
Many thanks for all your responses so far and I apologize if I
seem to be very persistent with my questions in this thread.


Maybe it's my fault to pose a such general question. Maybe I should be more specific in my questions, asking many smaller targeted questions instead of one big one.

For example;

- Why does internal-sftp subsystem creates /cygdrive inside the
  jailed directory?
- Who creates it? sshd or internal-sftp?
- Why /cygdrive is needed in the jailed environment?
- What harm can one do via /cygdrive eventhough it looks empty?
- Is it possible to hide it in the jailed environment? How?

No, you cannot hide it. It is created by Cygwin itself as a convenience to access the virtual 'cygdrive' directory. This is one of a number of virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports. See the description of "Special filenames" in the User's Guide for more details.

- internal-sftp seems to have visibility outside the jail directory
  as it can list the owner and group name of the objects inside the
  jail directory although I haven't copied /etc/passwd and /etc/group
  to the jailed directory.
  How can this be possible?

Hasn't this been answered already? 'chroot' is not secure so setting up a jail based on it is not secure. Is there some part of this statement that's not clear to you?

- If I log on using public key authentication, sshd with its internal-
sftp embedded in it runs using sshd account (correct me if I'm
wrong here). But how can it read/write to a directory which does not
belong to that account and from which I revoked group and other r/w
rights?

Using 'ssh' with public key authentication means that Cygwin impersonates the desired user through some O/S trickery. You can get some details of this in the User's Guide as well. See the "Switching User Context" section. However in the 1.5.x series of the Cygwin package, there are places where the user that started the service "bleeds" through. In 1.7, there is a new authentication module that will solve these and other pubkey authentication problems. But 1.7 is not currently released and it's release date is not decided.

Maybe if I know the answer to some of these puzzles, I would be able
to figure out better what kind of security I can expect from SFTP on
Cygwin.

I will say this as clear as I can - you can expect _incomplete_ security with Cygwin's SFTP because of missing O/S support for 'chroot'. If you want to split hairs over how much insecurity you're willing to accept, that's fine but that's going to have to be something you determine for yourself through experimentation. No one has been looking at SFTP to try to figure out all the places where it leaks. So you'd be breaking new ground here. In addition, you need to also accept the fact that the state of insecurity as provided by 'chroot' may change (i.e. worsen) over time. If you're not willing to accept "no security" as an answer to your initial question, you can save yourself allot of time.

Do you think I'd better start 2-3 new threads with specific questions in
each? Or shall I just carry on with this thread.

I'm skeptical as to the value of prolonging the thread. From the beginning you've been told that Cygwin's SFTP is insecure. I would recommend that you decide for yourself whether an insecure SFTP is a viable alternative for you. A "no" answer terminates this thread for sure. I'm not sure where a "yes" leaves things in your mind. I try not to read minds. ;-)

--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]