This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Finally managed to create a jailed SFTP server, but how secure?
>
> I will try different variants definitely. Unfortunately I can only give the
> feedback tomorrow as I am away from the office now.
>
> Thanks for your input.
>
Hi again,
I'm sorry I couldn't come back earlier. All my tests (at the end of this post
shows negative result). First, I try to change directory to drive C:. None of
them worked. Then, I tried to get a file called C:\foo. All of them failed too.
So again, I couldn't make SFTP to see outside the jail (the term jail is from
this SFTP context).
And I also have the answer for my own question few days back. My question was:
> - internal-sftp seems to have visibility outside the jail directory
> as it can list the owner and group name of the objects inside the
> jail directory although I haven't copied /etc/passwd and /etc/group
> to the jailed directory.
> How can this be possible?
This is what I found:
1. Using console, I created a file called foo in the jail root directory
2. And then I listed it from SFTP:
sftp> pwd
Remote working directory: /
sftp> ls -al
drwxr-xr-x 5 root root 0 Dec 4 16:23 .
drwxr-xr-x 5 root root 0 Dec 4 16:23 ..
dr-xr-xr-x 1 root root 0 Jan 1 1970 cygdrive
-rw-r--r-- 1 root root 0 Dec 4 16:23 foo
drwxr-xr-x 3 root root 0 Dec 4 16:22 home
So far nothing is extraordinary apart from the fact that SFTP can show the display
name of owner and group of each object although /etc/passwd and /etc/group are
"missing" from the jail (you can see there's not even /etc directory listed there).
This is what made me think that SFTP could see outside the jail.
3. While SFTP session was still active, from Console I created a Windows user called
dummy and import it to /etc/passwd
# net user dummy password /add
# mkpasswd -l | grep dummy >> /etc/passwd
4. From the Console, I changed the owner of foo to the user dummy:
# chown dummy foo
# ls -al
total 0
drwxr-xr-x+ 3 root root 0 Dec 4 16:23 ./
drwxr-xr-x+ 8 root root 0 Dec 1 13:25 ../
-rw-r--r-- 1 dummy root 0 Dec 4 16:23 foo
drwxr-xr-x+ 3 root root 0 Dec 4 16:22 home/
which is as expected.
5. And then I listed it from inside my SFTP session:
sftp> ls -al
drwxr-xr-x 5 root root 0 Dec 4 16:23 .
drwxr-xr-x 5 root root 0 Dec 4 16:23 ..
dr-xr-xr-x 1 root root 0 Jan 1 1970 cygdrive
-rw-r--r-- 1 4294967295 root 0 Dec 4 16:23 foo
drwxr-xr-x 3 root root 0 Dec 4 16:22 home
SFTP shows dummy as unlisted user!
So my conclusion is, SFTP reads /etc/password and caches it before starting to
chroot to the jail.
And here are my tests to access outside jail:
sftp> pwd
Remote working directory: /
sftp> cd C:
Couldn't canonicalise: No such file or directory
sftp> cd C:\
Couldn't canonicalise: No such file or directory
sftp> cd C:/
Couldn't canonicalise: No such file or directory
sftp> cd /cygdrive/c
Couldn't canonicalise: No such file or directory
sftp> cd /cygdrive/C:
Couldn't canonicalise: No such file or directory
sftp> cd \\.\C:
Couldn't canonicalise: No such file or directory
sftp> cd \\.\C:\
Couldn't canonicalise: No such file or directory
sftp> cd \\./C:
Couldn't canonicalise: No such file or directory
sftp> cd \\./C:/
Couldn't canonicalise: No such file or directory
sftp> cd \??\C:
Couldn't canonicalise: No such file or directory
sftp> cd \??\C:\
Couldn't canonicalise: No such file or directory
sftp> cd /??/C:
Couldn't canonicalise: No such file or directory
sftp> pwd
Remote working directory: /
sftp> get \\.\C:\foo
Couldn't stat remote file: No such file or directory
File "/\\\\.C:foo" not found.
sftp> get \\.\C:/foo
Couldn't stat remote file: No such file or directory
File "/\\\\.C:/foo" not found.
sftp> get \\./C:\foo
Couldn't stat remote file: No such file or directory
File "/\\\\./C:foo" not found.
sftp> get \\./C:/foo
Couldn't stat remote file: No such file or directory
File "/\\\\./C:/foo" not found.
sftp> get \??\C:\foo
File "/\\??C:foo" not found.
sftp> get \??/C:\foo
File "/\\??/C:foo" not found.
sftp> get C:foo
Couldn't stat remote file: No such file or directory
File "/C:foo" not found.
sftp> get C:\foo
Couldn't stat remote file: No such file or directory
File "/C:foo" not found.
sftp> get C:/foo
Couldn't stat remote file: No such file or directory
File "/C:/foo" not found.
sftp> get /cygdrive/ci/foo
Couldn't stat remote file: No such file or directory
File "/cygdrive/ci/foo" not found.
sftp> get /cygdrive/c:\foo
Couldn't stat remote file: No such file or directory
File "/cygdrive/c:foo" not found.
sftp> get /??/c:/foo
File "/??/c:/foo" not found.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- References:
- Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?