Finally managed to create a jailed SFTP server, but how secure?

Larry Hall (Cygwin)
Wed Dec 3 01:19:00 GMT 2008

TheO wrote:
> Many thanks for all your responses so far and I apologize if I
> seem to be very persistent with my questions in this thread. 
> Maybe it's my fault to pose a such general question. Maybe I should 
> be more specific in my questions, asking many smaller targeted 
> questions instead of one big one. 
> For example;
> - Why does internal-sftp subsystem creates /cygdrive inside the
>   jailed directory?
> - Who creates it? sshd or internal-sftp?
> - Why /cygdrive is needed in the jailed environment?
> - What harm can one do via /cygdrive eventhough it looks empty?
> - Is it possible to hide it in the jailed environment? How?

No, you cannot hide it.  It is created by Cygwin itself as a convenience
to access the virtual 'cygdrive' directory.  This is one of a number of
virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports.
See the description of "Special filenames" in the User's Guide for more

> - internal-sftp seems to have visibility outside the jail directory
>   as it can list the owner and group name of the objects inside the
>   jail directory although I haven't copied /etc/passwd and /etc/group
>   to the jailed directory.
>   How can this be possible?

Hasn't this been answered already?  'chroot' is not secure so setting
up a jail based on it is not secure.  Is there some part of this
statement that's not clear to you?

> - If I log on using public key authentication, sshd with its internal-
>   sftp embedded in it runs using sshd account (correct me if I'm
>   wrong here). But how can it read/write to a directory which does not
>   belong to that account and from which I revoked group and other r/w
>   rights? 

Using 'ssh' with public key authentication means that Cygwin impersonates
the desired user through some O/S trickery.  You can get some details of
this in the User's Guide as well.  See the "Switching User Context" section.
However in the 1.5.x series of the Cygwin package, there are places where
the user that started the service "bleeds" through.  In 1.7, there is a
new authentication module that will solve these and other pubkey
authentication problems.  But 1.7 is not currently released and it's
release date is not decided.

> Maybe if I know the answer to some of these puzzles, I would be able
> to figure out better what kind of security I can expect from SFTP on
> Cygwin.

I will say this as clear as I can - you can expect _incomplete_ security
with Cygwin's SFTP because of missing O/S support for 'chroot'.  If you
want to split hairs over how much insecurity you're willing to accept,
that's fine but that's going to have to be something you determine for
yourself through experimentation.  No one has been looking at SFTP to
try to figure out all the places where it leaks.  So you'd be breaking
new ground here.  In addition, you need to also accept the fact that the
state of insecurity as provided by 'chroot' may change (i.e. worsen) over
time.  If you're not willing to accept "no security" as an answer to your
initial question, you can save yourself allot of time.

> Do you think I'd better start 2-3 new threads with specific questions in
> each? Or shall I just carry on with this thread.

I'm skeptical as to the value of prolonging the thread.  From the
beginning you've been told that Cygwin's SFTP is insecure.  I would
recommend that you decide for yourself whether an insecure SFTP is a
viable alternative for you.  A "no" answer terminates this thread for
sure.  I'm not sure where a "yes" leaves things in your mind.  I try
not to read minds. ;-)

Larry Hall                    
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746


A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list