Finally managed to create a jailed SFTP server, but how secure?

Eric Blake
Wed Dec 3 13:12:00 GMT 2008

Hash: SHA1

According to TheO on 12/3/2008 5:57 AM:
> And if I understand correctly, one of the possible way for user to bypass check
> by Cygwin is to use Win32 reserved file names.
> identifying what filenames are reserved by Win32, this is what I've got (please
> complete it if I am missing something):
>   Dos devices:      CON, COMn, LPTn, AUX, PRN, NUL (n=0, 1, ...)
>   Named Pipes:      \\.\Pipe\foo
>   Physical Driver:  \\.\PhysicalDriveN (N=0, 1, ...)

You still haven't tested a biggie (that we've already told you about):

DOS file names: c:\path\to\file

If someone can convince a remote sftp client to ask your SFTP server to
transfer a DOS file name, then the remote machine has effectively looked
outside of your jail, because cygwin cannot place DOS filenames inside the
chroot.  And we are unlikely to slow down cygwin just to plug this hole in
the chroot facade, because we aren't interested in auditing what other
holes may exist.  I don't see why you persist in asking when we've already
told you the answer, five times over.  chroot does _not_ add security in a
cygwin environment, nor will we ever be able to make it add security.  It
merely adds a facade that makes it easier to port Linux apps that use
chroot; and it is up to you, not us, to verify whether that facade is
sufficient for your needs, because we don't plan on spending the time to
audit it.

- --
Don't work too hard, make some time for fun as well!

Eric Blake   
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at
Comment: Using GnuPG with Mozilla -


Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list