OpenSSH ChrootDirectory man page remark on safety

polettix

2/24/23, 2:15 PM

In the sshd_config(5) man page in my system I found this remark in the section about ChrootDirectory:

For safety, it is very important that the directory hierarchy be prevented from modification by other processes on the system (especially those outside the jail). Misconfiguration can lead to unsafe environments which sshd(8) cannot detect.

Is there anywhere I can read about the associated vulnerabilities if some external process does modifications to the directory hierarchy?

I'm thinking about setting up a SFTP server where I can drop a few files to share with external users, restricting access to specific target directories to each of them.

While these users would be restricted to using SFTP only and only to those directories (thanks to ChrootDirectory), I would still be able to put the files in place from time to time, which would happen through other processes on the system which would be outside of the jail.

I wonder if this simple use case can lead to some vulnerability too - any light would be very appreciated!

0 + 0

ssh

chroot

Score:2

Server

Paul

2/24/23, 3:10 PM

The chrootdirectory requires root owner and group ("At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.").

SFTP is among the simplest to configure, but setting the directory permissions to 755 and creating a subdirectory with 775 permissions with group something like where group is only the users for the processes that require access.

drwxr-xr-x root root         /var/chrootdir
drwxrwxr-x root processgroup /var/chrootdir/sftpdrop

If the processes cannot be trusted to save files to the location, a different process could be used, even a cron job, to save files in the transfer directory.

These kinds of security questions may get lots of responses based on various different experience, but the obvious problem appears to me to be a process saving information inside of the chroot directory that is not suppose to be available to the chrooted users, or reading information inside of the chrootdirectory that can be modified by the chrooted user.

0 + 0

polettix

2/26/23, 4:33 AM

"If the processes cannot be trusted to save files to the location, a different process could be used, even a cron job, to save files in the transfer directory." This is what I had in mind - a one-way flow of data from the system to the external world, pumped from processes in the wider system. That's also why I'm asking - the statement in the docs is pretty high-level and general in the pre-conditions, but pretty clear in what should be done (i.e. don't let external processes access the hierarcy).

Paul

2/26/23, 12:28 PM

What is your question, then?

polettix

2/26/23, 10:01 PM

"Is there anywhere I can read about the associated vulnerabilities if some external process does modifications to the directory hierarchy?"

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: OpenSSH ChrootDirectory man page remark on safety

TH: หมายเหตุหน้าคน OpenSSH ChrootDirectory เกี่ยวกับความปลอดภัย

RO: Pagina de manual OpenSSH ChrootDirectory observație despre siguranță

RU: Замечание о безопасности на справочной странице OpenSSH ChrootDirectory

VI: Trang man OpenSSH ChrootDirectory nhận xét về an toàn

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.