| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Spam-Check-By: | sourceware.org |
| X-Authority-Analysis: | v=1.0 c=1 a=qdHvlqEE0G4A:10 a=iIAewln5wGcA:10 a=xe8BsctaAAAA:8 a=W_QzI06sGqRaVLLqfkQA:9 a=pG8GM-OWy5WQ7PwOWkmACBYZle8A:4 a=eDFNAWYWrCwA:10 a=rPt6xJ-oxjAA:10 |
| Message-ID: | <4934C530.9030405@byu.net> |
| Date: | Mon, 01 Dec 2008 22:18:40 -0700 |
| From: | Eric Blake <ebb9 AT byu DOT net> |
| User-Agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081105 Thunderbird/2.0.0.18 Mnenhy/0.7.5.666 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Finally managed to create a jailed SFTP server, but how secure? |
| References: | <664060 DOT 6380 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com> <49341625 DOT 2090804 AT cygwin DOT com> <933558 DOT 98400 DOT qm AT web34705 DOT mail DOT mud DOT yahoo DOT com> |
| In-Reply-To: | <933558.98400.qm@web34705.mail.mud.yahoo.com> |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to TheO on 12/1/2008 12:13 PM: > I did some simple tests to break out my jail. From my SFTP session, I tried to do the following: > > sftp> cd /cygdrive > sftp> cd c > Couldn't canonicalise: No such file or directory Did you verify whether DOS paths, such as c:\, were also blocked? > But maybe my simple tests are not enough. Maybe there are some special file names which are not mapped to any directory or file but are interpreted internally by Cygwin to designate some directories outside the jail. To repeat what we have already told you multiple times: cygwin does NOT enforce the jail. And without OS support to do so, we are not in a position to state that your jail is secure; so with security in mind, you must consider the SFTP connection, even in its chroot jail, to be only as secure as the restricted rights that you are able to enforce on the Windows user id in use when you make the SFTP connection. - -- Don't work too hard, make some time for fun as well! Eric Blake ebb9 AT byu DOT net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0xTAACgkQ84KuGfSFAYDx0wCeNq+nuk/bG/Od4pjtawvWAD6T prkAoKrWCWia6GxJWAFm8ZF3Y0IUl1uw =orVG -----END PGP SIGNATURE----- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |