X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
References: <664060 DOT 6380 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com> <49341625 DOT 2090804 AT cygwin DOT com> <933558 DOT 98400 DOT qm AT web34705 DOT mail DOT mud DOT yahoo DOT com> <4934527E DOT 2070200 AT cygwin DOT com> <961872 DOT 64997 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com> <493568B8 DOT 3010308 AT cygwin DOT com> <49376 DOT 99112 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com> <20081202231141 DOT GA5449 AT ednor DOT casa DOT cgf DOT cx>
Date: Tue, 2 Dec 2008 16:00:02 -0800 (PST)
From: TheO <idgajelas AT yahoo DOT com>
Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <451120.45664.qm@web34703.mail.mud.yahoo.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

> 

>
>

Many thanks for all your responses so far and I apologize if I
seem to be very persistent with my questions in this thread. 

Maybe it's my fault to pose a such general question. Maybe I should 
be more specific in my questions, asking many smaller targeted 
questions instead of one big one. 

For example;

- Why does internal-sftp subsystem creates /cygdrive inside the
  jailed directory?
- Who creates it? sshd or internal-sftp?
- Why /cygdrive is needed in the jailed environment?
- What harm can one do via /cygdrive eventhough it looks empty?
- Is it possible to hide it in the jailed environment? How?

- internal-sftp seems to have visibility outside the jail directory
  as it can list the owner and group name of the objects inside the
  jail directory although I haven't copied /etc/passwd and /etc/group
  to the jailed directory.
  How can this be possible?

- If I log on using public key authentication, sshd with its internal-
  sftp embedded in it runs using sshd account (correct me if I'm
  wrong here). But how can it read/write to a directory which does not
  belong to that account and from which I revoked group and other r/w
  rights? 

- etc etc

Maybe if I know the answer to some of these puzzles, I would be able
to figure out better what kind of security I can expect from SFTP on
Cygwin.

Do you think I'd better start 2-3 new threads with specific questions in
each? Or shall I just carry on with this thread.

Your suggestions are always more than welcome in this quest.


      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/