X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
References: <664060 DOT 6380 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com>   <933558 DOT 98400 DOT qm AT web34705 DOT mail DOT mud DOT yahoo DOT com>   <4934527E DOT 2070200 AT cygwin DOT com>   <961872 DOT 64997 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com>   <493568B8 DOT 3010308 AT cygwin DOT com>   <49376 DOT 99112 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com>   <20081202231141 DOT GA5449 AT ednor DOT casa DOT cgf DOT cx>   <451120 DOT 45664 DOT qm AT web34703 DOT mail DOT mud DOT yahoo DOT com>   <4935DD4B DOT 7050907 AT cygwin DOT com>   <690548 DOT 2534 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com> <af075b00812030245m2b64cae2q4601c63424da611 AT mail DOT gmail DOT com> <49366705 DOT 5D2D6371 AT dessent DOT net> <940072 DOT 24685 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com> <49368561 DOT A8EAD4CF AT dessent DOT net> <371457 DOT 93288 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com> <49368C19 DOT 3060705 AT byu DOT net> <493692AF DOT D5B3FA42 AT dessent DOT net> <371904 DOT 87893 DOT qm AT web34707 DOT mail DOT mud DOT yahoo DOT com>
Date: Thu, 4 Dec 2008 08:37:52 -0800 (PST)
From: TheO <idgajelas AT yahoo DOT com>
Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <651741.1643.qm@web34703.mail.mud.yahoo.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

> 
> I will try different variants definitely. Unfortunately I can only give the
> feedback tomorrow as I am away from the office now.
> 
> Thanks for your input.
> 

Hi again,

I'm sorry I couldn't come back earlier. All my tests (at the end of this post
shows negative result). First, I try to change directory to drive C:. None of 
them worked. Then, I tried to get a file called C:\foo. All of them failed too.
So again, I couldn't make SFTP to see outside the jail (the term jail is from 
this SFTP context).

And I also have the answer for my own question few days back. My question was:

> - internal-sftp seems to have visibility outside the jail directory
>   as it can list the owner and group name of the objects inside the
>   jail directory although I haven't copied /etc/passwd and /etc/group
>   to the jailed directory.
>   How can this be possible?

This is what I found:

1. Using console, I created a file called foo in the jail root directory

2. And then I listed it from SFTP:

        sftp> pwd
        Remote working directory: /
        sftp> ls -al
        drwxr-xr-x    5 root     root            0 Dec  4 16:23 .
        drwxr-xr-x    5 root     root            0 Dec  4 16:23 ..
        dr-xr-xr-x    1 root     root            0 Jan  1  1970 cygdrive
        -rw-r--r--    1 root     root            0 Dec  4 16:23 foo
        drwxr-xr-x    3 root     root            0 Dec  4 16:22 home

   So far nothing is extraordinary apart from the fact that SFTP can show the display
   name of owner and group of each object although /etc/passwd and /etc/group are
   "missing" from the jail (you can see there's not even /etc directory listed there).
   This is what made me think that SFTP could see outside the jail.

3. While SFTP session was still active, from Console I created a Windows user called
   dummy and import it to /etc/passwd

        # net user dummy password /add
        # mkpasswd -l | grep dummy >> /etc/passwd

4. From the Console, I changed the owner of foo to the user dummy:

        # chown dummy foo
        # ls -al
        total 0
        drwxr-xr-x+ 3 root  root 0 Dec  4 16:23 ./
        drwxr-xr-x+ 8 root  root 0 Dec  1 13:25 ../
        -rw-r--r--  1 dummy root 0 Dec  4 16:23 foo
        drwxr-xr-x+ 3 root  root 0 Dec  4 16:22 home/

   which is as expected.

5. And then I listed it from inside my SFTP session:

        sftp> ls -al
        drwxr-xr-x    5 root     root            0 Dec  4 16:23 .
        drwxr-xr-x    5 root     root            0 Dec  4 16:23 ..
        dr-xr-xr-x    1 root     root            0 Jan  1  1970 cygdrive
        -rw-r--r--    1 4294967295 root            0 Dec  4 16:23 foo
        drwxr-xr-x    3 root     root            0 Dec  4 16:22 home

   SFTP shows dummy as unlisted user!

So my conclusion is, SFTP reads /etc/password and caches it before starting to
chroot to the jail.


And here are my tests to access outside jail:

    sftp> pwd
    Remote working directory: /
    sftp> cd C:
    Couldn't canonicalise: No such file or directory
    sftp> cd C:\
    Couldn't canonicalise: No such file or directory
    sftp> cd C:/
    Couldn't canonicalise: No such file or directory
    sftp> cd /cygdrive/c
    Couldn't canonicalise: No such file or directory
    sftp> cd /cygdrive/C:
    Couldn't canonicalise: No such file or directory
    sftp> cd \\.\C:
    Couldn't canonicalise: No such file or directory
    sftp> cd \\.\C:\
    Couldn't canonicalise: No such file or directory
    sftp> cd \\./C:
    Couldn't canonicalise: No such file or directory
    sftp> cd \\./C:/
    Couldn't canonicalise: No such file or directory
    sftp> cd \??\C:
    Couldn't canonicalise: No such file or directory
    sftp> cd \??\C:\
    Couldn't canonicalise: No such file or directory
    sftp> cd /??/C:
    Couldn't canonicalise: No such file or directory

    sftp> pwd
    Remote working directory: /
    sftp> get \\.\C:\foo
    Couldn't stat remote file: No such file or directory
    File "/\\\\.C:foo" not found.
    sftp> get \\.\C:/foo
    Couldn't stat remote file: No such file or directory
    File "/\\\\.C:/foo" not found.
    sftp> get \\./C:\foo
    Couldn't stat remote file: No such file or directory
    File "/\\\\./C:foo" not found.
    sftp> get \\./C:/foo
    Couldn't stat remote file: No such file or directory
    File "/\\\\./C:/foo" not found.
    sftp> get \??\C:\foo
    File "/\\??C:foo" not found.
    sftp> get \??/C:\foo
    File "/\\??/C:foo" not found.
    sftp> get C:foo
    Couldn't stat remote file: No such file or directory
    File "/C:foo" not found.
    sftp> get C:\foo
    Couldn't stat remote file: No such file or directory
    File "/C:foo" not found.
    sftp> get C:/foo
    Couldn't stat remote file: No such file or directory
    File "/C:/foo" not found.
    sftp> get /cygdrive/ci/foo
    Couldn't stat remote file: No such file or directory
    File "/cygdrive/ci/foo" not found.
    sftp> get /cygdrive/c:\foo
    Couldn't stat remote file: No such file or directory
    File "/cygdrive/c:foo" not found.
    sftp> get /??/c:/foo
    File "/??/c:/foo" not found.


      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/