Finally managed to create a jailed SFTP server, but how secure?

Roger Wells ROGER.K.WELLS@saic.com
Fri Dec 5 21:19:00 GMT 2008


TheO wrote:
>> From what we've seen so far, it seems that SFTP responds as expected.
>> That is all that I want to know.
>> From this point forward, we must try to close all other access ways
>> that does not belong to the scenario... but those are not excuses to
>> not implement the SFTP chroot.
>>
>>     
>
> Actually, my real case is even simpler than this. My SFTP users are all "friendly", 
> they are not unknown to me. It is a cooperative environment and to be honest, I 
> don't believe that they would harm my system by hacking into it.
>
> But I don't want them to poke around and see the content of other directories which
> do not concern them, read my config files, see who other users are or list the content
> of my C: drive, ...
>
> Yes so far the set up looks as expected. However, I would have preferred better if
> /cygdrive was not visible too even if they can't do anything with it. Ideally there
> should not be anything which could give them any hint on the type of my platform.
>
>   
if you are concerned about the "cygdrive" text there is a registry entry 
where you can set that to whatever you want including "". That is what I 
do. I would tell you what it is but my windows machine is not here right 
now. Then when you "ls /" you get /c, /d etc instead of /cygdrive/c, 
/cygdrive/d, etc.
cheers,
roger wells
> I don't know who creates /cygdrive here. It is not required in this chroot'ed 
> environment. My guess, it is created by sftp-server at start up (regardless whether
> it runs under chroot'ed environment or not). Maybe someone can confirm this better than
> me.
>
>
>
> One more thing to add.
>
> According to its RFC (4254), once a session is established, SSH allows the client to specify
> anycommand to execute or any subsystem to be spawned on the server side.
>
> But I think I am safe here too because;
>
> 1. I only put sftp subsystem in the sshd_config so any other subsystem request will fail.
> 2. No command can be executed since it requires /bin/bash (or another shell as defined by
>    /etc/passwd) to be present in the jail.
>
>
>       
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>
>   

-- 
Roger Wells, P.E.
SAIC
221 Third St
Newport, RI 02840
401-847-4210 (voice)
401-849-1585 (fax)
roger.k.wells@saic.com


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list