Re: Finally managed to create a jailed SFTP server, but how secure?
On Fri, Dec 5, 2008 at 2:24 AM, Phil Betts [EMAIL PROTECTED] wrote: Frankly, there are loads of things that you would need to test and you can never be sure you've checked all possible mechanisms. Given that the chroot jail is really an open prison under Windows, one has to wonder if it's worth the effort, and what you have proved if all of your tests have passed. That's a good point. In fact, written that way, it's an universal point, because you can always think where are those holes that I didn't test about? :) Now seriously, we have to think where is the responsibility to filter (I think this is the best describing word for the chroot implementation on cygwin) the non-valid paths under chroot environment... Unless there is specific code in sftp/sshd to handle and filter out the DOSish paths (which I seriuosly doubt, but the maintainer can correct me), this is already been filtered in the cygwin dll. If it is so, Corinna, maybe the implementation is in a bit better shape than you remember? Can you confirm that this is result from chroot implementation in cygwin dll? (just morbid curiosity, at this stage :) The best you can say is that you are protected against inadvertent access and (possibly) someone casually poking around. Well that is always better than to make available the whole file system in from of their eyes, isn't it? You all have probably heard/read a lot, Security by obscurity is not nice, very dangerous, and produces a fake sense of security - and all it's true, in the right scenarios. However, I can tell you, whithout a trace of doubt, Security by obscurity ALWAYS wins NO security at all, if you know what you're doing. For what is worth, my professional field is indeed security, almost ten years of it. As for anything done with proper sense of professionalism, this have to be weightned against your acceptable level of risk. But for (e.g) casual file-transfer between in-house servers, I would always recommend this kind of implementation because it is much better than a whole-open sftp... or (argh) ftp and the like... Don't forget that even if you decide SFTP is secure enough, you need to consider the system as a whole. One of the problems with Nothing is 100% secure, so the secure enough IS the key, and that is another way to refer to the acceptable level of risk. So this advice is true anywhere, anytime. But regarding this SFTP implementation, what I (and TheO too, I suppose) want to know is not the myriad of ways that security can go wrong; but only if the chroot filtering (strictly inside of SFTP implementation) is honored. From what we've seen so far, it seems that SFTP responds as expected. That is all that I want to know. From this point forward, we must try to close all other access ways that does not belong to the scenario... but those are not excuses to not implement the SFTP chroot. Windows' security in general is the number of open ports and services that are running. If unauthorized users are able to gain access to the system via any other route, then any security SFTP gives you is totally illusory. You would really need an external, aggressive firewall to be sure that the only possible external access was via SFTP. ... and that is a good advice - even though that could be insufficient, depending on the projected use of the SFTP, and it's position in the network architecture, etc. In short, YMMV. You can't rely on just disabling services, because I have known them to become enabled again after installing updates (thanks MS!) Phil -- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On Dec 5 10:43, Julio Emanuel wrote: If it is so, Corinna, maybe the implementation is in a bit better shape than you remember? Can you confirm that this is result from chroot implementation in cygwin dll? (just morbid curiosity, at this stage :) THis isn't a question of being good or badly implemented, it's the simple fact that it doesn't (and can't) provide what people think it does. Chroot is a bad fake on Cygwin. Even a super cool implementation doesn't change that. But regarding this SFTP implementation, what I (and TheO too, I suppose) want to know is not the myriad of ways that security can go wrong; but only if the chroot filtering (strictly inside of SFTP implementation) is honored. Given that chroot is implemented within Cygwin, SFTP has nothing to do with it. However, this is EOD for me. You have been warned. Feel free to use it, but I, for one, wouldn't. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
You also need to try symlinks that point outside the jail. Try creating them both from the shell and within SFTP. Just got back from my Christmas shopping and now back to work :) I don't know how to create a symlink from inside SFTP so I did it only from Console. I have created two files; foo and bar. foo is a link to a file outside the jail /foo (absolute root), while bar is an ordinary file. sftp ls -al drwxr-xr-x2 root root0 Dec 5 15:52 . drwxr-xr-x3 root root0 Dec 4 16:22 .. -rw-r--r--1 root root 34 Dec 5 15:52 bar lrwxrwxrwx1 root root4 Dec 5 15:49 foo sftp get foo Fetching /home/Administrator/foo to foo Couldn't stat remote file: No such file or directory sftp get bar Fetching /home/Administrator/bar to bar /home/Administrator/bar 100% 34 0.0KB/s 00:01 As expected user can't gain access outside his jail. But even if it had worked, I wouldn't have created a such facility purposedly myself. Don't forget that even if you decide SFTP is secure enough, you need to consider the system as a whole. One of the problems with Windows' security in general is the number of open ports and services that are running. If unauthorized users are able to gain access to the system via any other route, then any security SFTP gives you is totally illusory. You would really need an external, aggressive firewall to be sure that the only possible external access was via SFTP. You can't rely on just disabling services, because I have known them to become enabled again after installing updates (thanks MS!) Yes, I agree totally. We always put publicly accessible systems behind firewall. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote on Friday, December 05, 2008 1:01 PM: You also need to try symlinks that point outside the jail. Try creating them both from the shell and within SFTP. Just got back from my Christmas shopping and now back to work :) I don't know how to create a symlink from inside SFTP What about: $ sftp localhost Connecting to localhost... sftp symlink 'C:\Windows' bar sftp cd bar sftp ls *exe Alcmtr.exeFramePkg.exe HideWin.exe IsUninst.exe MicCal.exeRTHDCPL.exe RTLCPL.exeRtlUpd.exeSkyTel.exe SoundMan.exe alcwzrd.exe explorer.exe hh.exeregedit.exe twunk_16.exe twunk_32.exe winhelp.exe winhlp32.exe I don't have my sftp chrooted, but I don't know any reason why the above wouldn't work on a Cygwin chrooted system. -- Bryan Thrall FlightSafety International [EMAIL PROTECTED] -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
What about: $ sftp localhost Connecting to localhost... sftp symlink 'C:\Windows' bar sftp symlink C:\foobar foobar sftp symlink C:\windows windows sftp ls -al drwxr-xr-x2 root root0 Dec 5 19:31 . drwxr-xr-x3 root root0 Dec 4 16:22 .. -rw-r--r--1 root root 34 Dec 5 15:52 bar lrwxrwxrwx1 root root4 Dec 5 15:49 foo lrwxrwxrwx1 root root8 Dec 5 19:30 foobar lrwxrwxrwx1 root root9 Dec 5 19:31 windows sftp get foobar Fetching /home/Administrator/foobar to foobar Couldn't stat remote file: No such file or directory sftp cd windows Couldn't canonicalise: No such file or directory The command symlink worked but the actual access didn't -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
What about: $ sftp localhost Connecting to localhost... sftp symlink 'C:\Windows' bar sftp cd bar Sorry I missed out the ', here we go again with ' this time: sftp symlink 'C:\foobar' foobar sftp symlink 'C:\windows' windows sftp ls -al drwxr-xr-x2 root root0 Dec 5 19:37 . drwxr-xr-x3 root root0 Dec 4 16:22 .. -rw-r--r--1 root root 34 Dec 5 15:52 bar lrwxrwxrwx1 root root4 Dec 5 15:49 foo lrwxrwxrwx1 root root9 Dec 5 19:37 foobar sftp get foobar Fetching /home/Administrator/foobar to foobar Couldn't stat remote file: No such file or directory sftp cd windows Couldn't canonicalise: No such file or directory Same result though -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Fw: Finally managed to create a jailed SFTP server, but how secure?
What about: $ sftp localhost Connecting to localhost... sftp symlink 'C:\Windows' bar sftp cd bar Sorry I missed out the ', here we go again with ' this time: sftp symlink 'C:\foobar' foobar sftp symlink 'C:\windows' windows sftp ls -al drwxr-xr-x2 rootroot0 Dec 5 19:37 . drwxr-xr-x3 rootroot0 Dec 4 16:22 .. -rw-r--r--1 rootroot 34 Dec 5 15:52 bar lrwxrwxrwx1 rootroot4 Dec 5 15:49 foo lrwxrwxrwx1 rootroot9 Dec 5 19:37 foobar sftp get foobar Fetching /home/Administrator/foobar to foobar Couldn't stat remote file: No such file or directory sftp cd windows Couldn't canonicalise: No such file or directory Same result though -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
From what we've seen so far, it seems that SFTP responds as expected. That is all that I want to know. From this point forward, we must try to close all other access ways that does not belong to the scenario... but those are not excuses to not implement the SFTP chroot. Actually, my real case is even simpler than this. My SFTP users are all friendly, they are not unknown to me. It is a cooperative environment and to be honest, I don't believe that they would harm my system by hacking into it. But I don't want them to poke around and see the content of other directories which do not concern them, read my config files, see who other users are or list the content of my C: drive, ... Yes so far the set up looks as expected. However, I would have preferred better if /cygdrive was not visible too even if they can't do anything with it. Ideally there should not be anything which could give them any hint on the type of my platform. I don't know who creates /cygdrive here. It is not required in this chroot'ed environment. My guess, it is created by sftp-server at start up (regardless whether it runs under chroot'ed environment or not). Maybe someone can confirm this better than me. One more thing to add. According to its RFC (4254), once a session is established, SSH allows the client to specify anycommand to execute or any subsystem to be spawned on the server side. But I think I am safe here too because; 1. I only put sftp subsystem in the sshd_config so any other subsystem request will fail. 2. No command can be executed since it requires /bin/bash (or another shell as defined by /etc/passwd) to be present in the jail. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
THis isn't a question of being good or badly implemented, it's the simple fact that it doesn't (and can't) provide what people think it does. Chroot is a bad fake on Cygwin. Even a super cool implementation doesn't change that. I don't know how chroot is implemented but so far everything looks fine Corinna. Normal files in C: drive are not visible because they would have to be mapped to /cygdrive/c/xxx first (and /cygdrive/c doesn't exist). I think the only possibility too see out of jail is by accessing Windows special file names like COM1, LPT1 or pipe names. But this is inherent to Cygwin over Windows filesystem not just to chroot. Fortunately I can live without COM1 or LPT1 (I can remove or disable them). -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: From what we've seen so far, it seems that SFTP responds as expected. That is all that I want to know. From this point forward, we must try to close all other access ways that does not belong to the scenario... but those are not excuses to not implement the SFTP chroot. Actually, my real case is even simpler than this. My SFTP users are all friendly, they are not unknown to me. It is a cooperative environment and to be honest, I don't believe that they would harm my system by hacking into it. But I don't want them to poke around and see the content of other directories which do not concern them, read my config files, see who other users are or list the content of my C: drive, ... Yes so far the set up looks as expected. However, I would have preferred better if /cygdrive was not visible too even if they can't do anything with it. Ideally there should not be anything which could give them any hint on the type of my platform. if you are concerned about the cygdrive text there is a registry entry where you can set that to whatever you want including . That is what I do. I would tell you what it is but my windows machine is not here right now. Then when you ls / you get /c, /d etc instead of /cygdrive/c, /cygdrive/d, etc. cheers, roger wells I don't know who creates /cygdrive here. It is not required in this chroot'ed environment. My guess, it is created by sftp-server at start up (regardless whether it runs under chroot'ed environment or not). Maybe someone can confirm this better than me. One more thing to add. According to its RFC (4254), once a session is established, SSH allows the client to specify anycommand to execute or any subsystem to be spawned on the server side. But I think I am safe here too because; 1. I only put sftp subsystem in the sshd_config so any other subsystem request will fail. 2. No command can be executed since it requires /bin/bash (or another shell as defined by /etc/passwd) to be present in the jail. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Roger Wells, P.E. SAIC 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) [EMAIL PROTECTED] -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
if you are concerned about the cygdrive text there is a registry entry where you can set that to whatever you want including . That is what I do. I would tell you what it is but my windows machine is not here right now. Then when you ls / you get /c, /d etc instead of /cygdrive/c, /cygdrive/d, etc. cheers, roger wells I found an occurence of cygdrive in my registry: HKLM\SOFTWARE\Cygnus Solutions\Cygwin\mount v2\cygdrive prefix I changed it /foo but it didn't worked, it still showed /cygdrive inside the Console and jailed SFTP :( I googled it and apparently it used to work but is no longer supported at least I'm wrong. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote on Friday, December 05, 2008 3:46 PM: if you are concerned about the cygdrive text there is a registry entry where you can set that to whatever you want including . That is what I do. I would tell you what it is but my windows machine is not here right now. Then when you ls / you get /c, /d etc instead of /cygdrive/c, /cygdrive/d, etc. cheers, roger wells I found an occurence of cygdrive in my registry: HKLM\SOFTWARE\Cygnus Solutions\Cygwin\mount v2\cygdrive prefix I changed it /foo but it didn't worked, it still showed /cygdrive inside the Console and jailed SFTP :( I googled it and apparently it used to work but is no longer supported at least I'm wrong. I believe it is still supported for Cygwin 1.5. I think what has happened is the Cygwin DLL created an actual /cygdrive directory (which is useful for things like bash completion) in your chroot jail. Now that you've changed the Cygdrive prefix, delete that directory and all should be good. BTW, it is preferable to change the Cygdrive prefix with 'mount -c posixpath' rather than mess around in the registry. -- Bryan Thrall FlightSafety International [EMAIL PROTECTED] -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Roger Wells wrote: if you are concerned about the cygdrive text there is a registry entry where you can set that to whatever you want including . That is what I do. I would tell you what it is but my windows machine is not here right now. Then when you ls / you get /c, /d etc instead of /cygdrive/c, /cygdrive/d, etc. Don't do that, use 'mount' to change it like you're supposed to. (Check the fine manpage for how.) You may need to restart any Cygwin processes for the change to show up. -- Matthew Please do not quote my e-mail address unobfuscated in message bodies. -- For great justice!! -- Captain (Zero Wing) -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
I believe it is still supported for Cygwin 1.5. I think what has happened is the Cygwin DLL created an actual /cygdrive directory (which is useful for things like bash completion) in your chroot jail. Now that you've changed the Cygdrive prefix, delete that directory and all should be good. BTW, it is preferable to change the Cygdrive prefix with 'mount -c ' rather than mess around in the registry. Many thanks. I tried it and it worked. I could see in the Console that it has changed to/drive (instead of /cygdrive). # mount C:\cygwin\bin on /usr/bin type system (binmode) C:\cygwin\lib on /usr/lib type system (binmode) C:\cygwin on / type system (binmode) c: on /drive/c type system (binmode,noumount) And I could cd to /drive/c from Console too. But when I tried to restart sshd, I got this message: # net start sshd bash: /cygdrive/c/WINDOWS/system32/net: No such file or directory Do I need to change somewhere else too? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
But when I tried to restart sshd, I got this message: # net start sshd bash: /cygdrive/c/WINDOWS/system32/net: No such file or directory Do I need to change somewhere else too? Ignore my previous message. It worked after I closed the last Console and open a new one. Many thanks -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Matthew Woehlke wrote: Roger Wells wrote: if you are concerned about the cygdrive text there is a registry entry where you can set that to whatever you want including . That is what I do. I would tell you what it is but my windows machine is not here right now. Then when you ls / you get /c, /d etc instead of /cygdrive/c, /cygdrive/d, etc. Don't do that, use 'mount' to change it like you're supposed to. (Check the fine manpage for how.) You may need to restart any Cygwin processes for the change to show up. Actually I knew that. It was years ago that I modified the registry directly. sorry. rkw -- Roger Wells, P.E. SAIC 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) [EMAIL PROTECTED] -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Dec 03, 2008 at 11:38:20AM +, Julio Emanuel wrote: On Wed, Dec 3, 2008 at 11:01 AM, Brian Dessent [EMAIL PROTECTED] wrote: Julio Emanuel wrote: 4) Only commands compiled for Cygwin, AND accessing the file system exclusively through the Cygwin POSIX interfaces can (and will) obey the chroot settings; This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Chroot jail is a misnomer here, on the verge of being dangerous. It's not a jail but just a line drawn with chalk on the floor. I would like to add on top of that that chroot isn't considerered as a security feature on other OSes either. FreeBSD has jails which do much more than chroot: you have to virtualize more than just the file system to come near of being secure (in UNIXoids think creating a device file whithin your jail which maps to the whole disk or memory to know what I mean :-). Cf. for example http://en.wikipedia.org/wiki/FreeBSD_jail. But then, for casual use, chroot might be fine. Never expose that to the Big and Stinking Net though. Regards - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJN5I4Bcgs9XrR2kYRAgk6AJ0bw1zHbpIkeGJrbu8T1xpckR31UACcD+4c t64oEkdEG9vfFV/2APYZ9w8= =LAc8 -END PGP SIGNATURE- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
I will try different variants definitely. Unfortunately I can only give the feedback tomorrow as I am away from the office now. Thanks for your input. Hi again, I'm sorry I couldn't come back earlier. All my tests (at the end of this post shows negative result). First, I try to change directory to drive C:. None of them worked. Then, I tried to get a file called C:\foo. All of them failed too. So again, I couldn't make SFTP to see outside the jail (the term jail is from this SFTP context). And I also have the answer for my own question few days back. My question was: - internal-sftp seems to have visibility outside the jail directory as it can list the owner and group name of the objects inside the jail directory although I haven't copied /etc/passwd and /etc/group to the jailed directory. How can this be possible? This is what I found: 1. Using console, I created a file called foo in the jail root directory 2. And then I listed it from SFTP: sftp pwd Remote working directory: / sftp ls -al drwxr-xr-x5 root root0 Dec 4 16:23 . drwxr-xr-x5 root root0 Dec 4 16:23 .. dr-xr-xr-x1 root root0 Jan 1 1970 cygdrive -rw-r--r--1 root root0 Dec 4 16:23 foo drwxr-xr-x3 root root0 Dec 4 16:22 home So far nothing is extraordinary apart from the fact that SFTP can show the display name of owner and group of each object although /etc/passwd and /etc/group are missing from the jail (you can see there's not even /etc directory listed there). This is what made me think that SFTP could see outside the jail. 3. While SFTP session was still active, from Console I created a Windows user called dummy and import it to /etc/passwd # net user dummy password /add # mkpasswd -l | grep dummy /etc/passwd 4. From the Console, I changed the owner of foo to the user dummy: # chown dummy foo # ls -al total 0 drwxr-xr-x+ 3 root root 0 Dec 4 16:23 ./ drwxr-xr-x+ 8 root root 0 Dec 1 13:25 ../ -rw-r--r-- 1 dummy root 0 Dec 4 16:23 foo drwxr-xr-x+ 3 root root 0 Dec 4 16:22 home/ which is as expected. 5. And then I listed it from inside my SFTP session: sftp ls -al drwxr-xr-x5 root root0 Dec 4 16:23 . drwxr-xr-x5 root root0 Dec 4 16:23 .. dr-xr-xr-x1 root root0 Jan 1 1970 cygdrive -rw-r--r--1 4294967295 root0 Dec 4 16:23 foo drwxr-xr-x3 root root0 Dec 4 16:22 home SFTP shows dummy as unlisted user! So my conclusion is, SFTP reads /etc/password and caches it before starting to chroot to the jail. And here are my tests to access outside jail: sftp pwd Remote working directory: / sftp cd C: Couldn't canonicalise: No such file or directory sftp cd C:\ Couldn't canonicalise: No such file or directory sftp cd C:/ Couldn't canonicalise: No such file or directory sftp cd /cygdrive/c Couldn't canonicalise: No such file or directory sftp cd /cygdrive/C: Couldn't canonicalise: No such file or directory sftp cd \\.\C: Couldn't canonicalise: No such file or directory sftp cd \\.\C:\ Couldn't canonicalise: No such file or directory sftp cd \\./C: Couldn't canonicalise: No such file or directory sftp cd \\./C:/ Couldn't canonicalise: No such file or directory sftp cd \??\C: Couldn't canonicalise: No such file or directory sftp cd \??\C:\ Couldn't canonicalise: No such file or directory sftp cd /??/C: Couldn't canonicalise: No such file or directory sftp pwd Remote working directory: / sftp get \\.\C:\foo Couldn't stat remote file: No such file or directory File /.C:foo not found. sftp get \\.\C:/foo Couldn't stat remote file: No such file or directory File /.C:/foo not found. sftp get \\./C:\foo Couldn't stat remote file: No such file or directory File /./C:foo not found. sftp get \\./C:/foo Couldn't stat remote file: No such file or directory File /./C:/foo not found. sftp get \??\C:\foo File /\\??C:foo not found. sftp get \??/C:\foo File /\\??/C:foo not found. sftp get C:foo Couldn't stat remote file: No such file or directory File /C:foo not found. sftp get C:\foo Couldn't stat remote file: No such file or directory File /C:foo not found. sftp get C:/foo Couldn't stat remote file: No such file or directory File /C:/foo not found. sftp get /cygdrive/ci/foo Couldn't stat remote file: No such file or directory File /cygdrive/ci/foo not found. sftp get /cygdrive/c:\foo Couldn't stat remote file: No such file or directory File /cygdrive/c:foo not found.
Re: Finally managed to create a jailed SFTP server, but how secure?
I understand why all these virtual directories are necessary at the absolute '/' root level. But here I refer to /cygdrive which is created inside the jail directory, which means in absolute path, /jail/cygdrive (/jail being the root of my jail). Inside the jail, only /cygdrive is created, no other virtual directories (/proc or /dev/xxx) or files are created. Created or not, they exist. Try it. I tried it from jailed SFTP session: sftp cd /dev Couldn't canonicalise: No such file or directory sftp cd /proc Couldn't canonicalise: No such file or directory They don't exist. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote on Thursday, December 04, 2008 4:48 PM:: I understand why all these virtual directories are necessary at the absolute '/' root level. But here I refer to /cygdrive which is created inside the jail directory, which means in absolute path, /jail/cygdrive (/jail being the root of my jail). Inside the jail, only /cygdrive is created, no other virtual directories (/proc or /dev/xxx) or files are created. Created or not, they exist. Try it. I tried it from jailed SFTP session: sftp cd /dev Couldn't canonicalise: No such file or directory sftp cd /proc Couldn't canonicalise: No such file or directory They don't exist. You also need to try symlinks that point outside the jail. Try creating them both from the shell and within SFTP. You should also check that non-interactive SFTP observes the jail (that is specifying the file to transfer on the command line). Frankly, there are loads of things that you would need to test and you can never be sure you've checked all possible mechanisms. Given that the chroot jail is really an open prison under Windows, one has to wonder if it's worth the effort, and what you have proved if all of your tests have passed. The best you can say is that you are protected against inadvertent access and (possibly) someone casually poking around. Don't forget that even if you decide SFTP is secure enough, you need to consider the system as a whole. One of the problems with Windows' security in general is the number of open ports and services that are running. If unauthorized users are able to gain access to the system via any other route, then any security SFTP gives you is totally illusory. You would really need an external, aggressive firewall to be sure that the only possible external access was via SFTP. You can't rely on just disabling services, because I have known them to become enabled again after installing updates (thanks MS!) Phil -- This email has been scanned by Ascribe PLC using Microsoft Antigen for Exchange. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On Wed, Dec 3, 2008 at 2:43 AM, Albert van der Velde wrote: I followed this discussion, but does an ftp server exist with a possibility to lock a user in its home directory preventing him to get out of this jail. Are you sure you were understanding this conversation? It was about SFTP, not FTP - they're very different, though related in terms of the interface they expose... ~Matt -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Hi, all Cygwinners! I've been following this thread with most interest, because I've been thinking in setting up some kind of chroot'ed SFTP environment myself. The tone of the answers are, however, consistent with what I've already saw in similar threads in the last months. Yet, I still consider that this kind of answer is lacking the informative part as in It's not secure BECAUSE From the answers in this and many other threads, and a little gray-matter shaking(tm) I think I can try to put in words all the implications around this kind of setup. Please feel free to correct me, as this is also a confirmation-probe from myself to the list-gurus: 1) Chroot-like features are not supported natively in Windows. Not even close. Period; 2) Chroot, although configurable in the sshd-config, is not implemented in sshd (or sftp) but in the Cygwin DLL itself. You can, for example, do a chroot on demand with the chroot(1) command in a bash prompt - see man chroot. 3) From 1) and 2) you can easily guess that any native windows command couldn't care less about any chroot configuration or command because it just does not exist in their environment! 4) Only commands compiled for Cygwin, AND accessing the file system exclusively through the Cygwin POSIX interfaces can (and will) obey the chroot settings; 5) So, the bottom line is, for the particular SFTP scenario: As long as you don't give any executable possibilities to the remote users, you should stay safe. As far as I can tell, SFTP (and SSHD) fits the scenario in 4). Now for my own doubt: why is everyone walking (running) away from making a statement such as 5)? Is there an easy (or difficult, whatever) way for anyone execute commands in a SFTP command line? Thanks for your wisdom! ___ Julio Costa On Wed, Dec 3, 2008 at 7:29 AM, TheO [EMAIL PROTECTED] wrote: Hi again, I am afraid I have to ask for clarification again :(, I hope this is the last time before I am on my own with this: No, you cannot hide it. It is created by Cygwin itself as a convenience to access the virtual 'cygdrive' directory. This is one of a number of virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports. See the description of Special filenames in the User's Guide for more details. I understand why all these virtual directories are necessary at the absolute '/' root level. But here I refer to /cygdrive which is created inside the jail directory, which means in absolute path, /jail/cygdrive (/jail being the root of my jail). Inside the jail, only /cygdrive is created, no other virtual directories (/proc or /dev/xxx) or files are created. In 1.7, there is a new authentication module that will solve these and other pubkey authentication problems. But 1.7 is not currently released and it's release date is not decided. Thanks for this input. I suppose that to be on safe side, I must restrict it to password based authentication only if I use the current Cygwin. And finally one more question. I am only aware of two subsystems supported by sshd more or less implicitely; sftp and shell (interactive logon). Is there any other subsystems which are handled by sshd implicitely (without me having to add anything to /etc/sshd_config)? Thanks again. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Julio Emanuel wrote: 4) Only commands compiled for Cygwin, AND accessing the file system exclusively through the Cygwin POSIX interfaces can (and will) obey the chroot settings; This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Whether or not you can trick the sftp code into letting such a filename through remains to be seen, but the point here is that just because the access occurs via the Cygwin API doesn't mean the chroot is absolute. Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On Wed, Dec 3, 2008 at 11:01 AM, Brian Dessent [EMAIL PROTECTED] wrote: Julio Emanuel wrote: 4) Only commands compiled for Cygwin, AND accessing the file system exclusively through the Cygwin POSIX interfaces can (and will) obey the chroot settings; This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Aha! So this is the tiny bit that was missing! What you are saying is that the Cygwin DLL does not honor the chroot if the path is in WIN32 format? But why is that? It shouldn't honor the chroot all the time? I mean, this sounds like the right thing to do(tm), if Cygwin is supposed to fully support chroot environments... Whether or not you can trick the sftp code into letting such a filename through remains to be seen, but the point here is that just because the access occurs via the Cygwin API doesn't mean the chroot is absolute. Right. Point taken. Although, this could be answered with a patch (a ugly-cygwin-only patch) to the sftp/sshd package to filter all the Windowish file paths that came across, right? I known that it is an ugly solution, but surely it would settle the worries for this specific (but more and more frequent) chrooted sftp scenario. Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On Dec 3 11:38, Julio Emanuel wrote: On Wed, Dec 3, 2008 at 11:01 AM, Brian Dessent [EMAIL PROTECTED] wrote: Julio Emanuel wrote: 4) Only commands compiled for Cygwin, AND accessing the file system exclusively through the Cygwin POSIX interfaces can (and will) obey the chroot settings; This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Aha! So this is the tiny bit that was missing! What you are saying is that the Cygwin DLL does not honor the chroot if the path is in WIN32 format? But why is that? It shouldn't honor the chroot all the time? I mean, this sounds like the right thing to do(tm), if Cygwin is supposed to fully support chroot environments... The final, definitive answer which I already gave last month, and also already years ago. It's all in the archives. It's *impossible* for any kind of Windows user space environment, be it called Cygwin or whatever, to restrict applications to a chroot jail. The reason is that the underlying OS, Windows, does not support this concept. We can restrict application using the Cygwin open call to the jail, but every application is free to call the Win32 call CreateFile or the native NT call NtOpenFile directly, thus circumventing any effort made in the Cygwin DLL easily. So, that's it. Chroot looks interesting on the surface, but implementing it on Windows is eventually just a hoax due to missing OS support. Don't use it. It provides a false sense of security. Actually it's one of my Cygwin inventions I'd rather forget about. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Julio Emanuel wrote: Aha! So this is the tiny bit that was missing! What you are saying is that the Cygwin DLL does not honor the chroot if the path is in WIN32 format? But why is that? It shouldn't honor the chroot all the time? I mean, this sounds like the right thing to do(tm), if Cygwin is supposed to fully support chroot environments... I haven't verified that this is the case, but I suspect that it is. The general philosophy of most of the path handling code is that Win32 paths bypass all Cygwin logic entirely. There are still lots of people that try to use Win32 paths with Cygwin tools despite the fact that it's not supposed to be how things are done (and discouraged.) As to whether it should try to special-case this situation and disallow the use of Win32 paths if a chroot is in effect, I'm not sure if it makes sense. As others in the thread have already said, the chroot feature is meant to be necessary but not sufficient, if you will. I.e. it's a convenience, not an enforecement. Most of the time when you encounter a program that's been put in a chroot jail the reasoning is so that if there is some kind of exploitable vulnerability in that program an attacker cannot gain access to the rest of the system outside of the jail. In this scenario the chroot provided by Cygwin provides zero protection, because if the attacker can run exploit code then can just call directly to the Win32 APIs and bypass Cygwin entirely. No amount of protection in the DLL will ever change this basic fact, so just seems to me like you'd be furthering the illusion of security by trying to add more checks. Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Hello Julia, * On Wed, Dec 03, 2008 at 11:38:20AM + Julio Emanuel wrote: On Wed, Dec 3, 2008 at 11:01 AM, Brian Dessent [EMAIL PROTECTED] wrote: This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Aha! So this is the tiny bit that was missing! It was already mentioned elsethread. [...] I known that it is an ugly solution, but surely it would settle the worries for this specific (but more and more frequent) chrooted sftp scenario. But the problem here is: This is just one single problem instance that would (or might) have been fixed. No-one ever cared to check if there are other possibilities. In order to be safe, you would have to audit all relevant parts to find out if there might be other attack vectors. And from the answers, it is clear that no-one of the cygwin developers will take that route, as it is not the aim of the project. Like it or not, but that's how it is currently. Best regards, Spiro. -- Spiro R. Trikaliotis http://opencbm.sf.net/ http://www.trikaliotis.net/ http://www.viceteam.org/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
This is not valid reasoning, as Eric Blake already pointed out you can still access files outside of a chroot even if you're still going through the Cygwin DLL by using Win32 style pathnames since Cygwin passes those through untouched. Whether or not you can trick the sftp code into letting such a filename through remains to be seen, but the point here is that just because the access occurs via the Cygwin API doesn't mean the chroot is absolute. I am just trying to be logical here. I am exporting only SFTP access to users. Well at least that's what I want, I don't know whether somehow user is able spawn another application via SSHD using something which I am not aware yet. This is one of my questions which hasn't been answered so far (what subsystems are handled internally by SSHD apart from shell and sftp?). So logically, with just SFTP available, what user can do is limited to basically; cd, mkdir, rmdir, get, put, rename, rm. Simply put, he can only manipulate files and directories. And if I understand correctly, one of the possible way for user to bypass check by Cygwin is to use Win32 reserved file names. identifying what filenames are reserved by Win32, this is what I've got (please complete it if I am missing something): Dos devices: CON, COMn, LPTn, AUX, PRN, NUL (n=0, 1, ...) Named Pipes: \\.\Pipe\foo Physical Driver: \\.\PhysicalDriveN (N=0, 1, ...) I tried the following commands from a jailed sftp session: sftp get PRN Fetching /home/user/PRN to PRN Couldn't read from remote file /home/user/PRN : Failure sftp put foo PRN Uploading foo to /home/Administrator/prn foo 100%4 0.0KB/s 00:01 Couldn't write to remote file /home/Administrator/PRN: Permission denied Invalid command. sftp get CON Fetching /home/user/CON to CON Couldn't get handle: Permission denied sftp put foo CON Uploading foo to /home/Administrator/CON Couldn't get handle: Permission denied sftp get NUL Fetching /home/user/NUL to NUL *** successful transfer *** sftp put NUL Uploading NUL to /home/Administrator/NUL NUL100%0 0.0KB/s 00:00 *** successful transfer *** sftp get LPT1 Fetching /home/user/LPT1 to LPT1 Couldn't read from remote file /home/user/LPT1 : Failure sftp get //./Pipe/foo Couldn't stat remote file: No such file or directory File //./Pipe/foo not found. sftp put foo //./Pipe/foo Uploading foo to //./Pipe/foo Couldn't get handle: No such file or directory sftp get COM1 *** stuck *** So far, the only successful transfer is using NUL device (which is harmless) and the one which cause problem was accessing COM1. The client was stuck and I had to kill the SSHD daemon to restore it. If this is the only problem, I can remove all COMn from the host Windows. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: identifying what filenames are reserved by Win32, this is what I've got (please complete it if I am missing something): No, we mean get c:/dir/file or get c:\dir\file. (or put //hostname/share/file, shudder.) Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to TheO on 12/3/2008 5:57 AM: And if I understand correctly, one of the possible way for user to bypass check by Cygwin is to use Win32 reserved file names. identifying what filenames are reserved by Win32, this is what I've got (please complete it if I am missing something): Dos devices: CON, COMn, LPTn, AUX, PRN, NUL (n=0, 1, ...) Named Pipes: \\.\Pipe\foo Physical Driver: \\.\PhysicalDriveN (N=0, 1, ...) You still haven't tested a biggie (that we've already told you about): DOS file names: c:\path\to\file If someone can convince a remote sftp client to ask your SFTP server to transfer a DOS file name, then the remote machine has effectively looked outside of your jail, because cygwin cannot place DOS filenames inside the chroot. And we are unlikely to slow down cygwin just to plug this hole in the chroot facade, because we aren't interested in auditing what other holes may exist. I don't see why you persist in asking when we've already told you the answer, five times over. chroot does _not_ add security in a cygwin environment, nor will we ever be able to make it add security. It merely adds a facade that makes it easier to port Linux apps that use chroot; and it is up to you, not us, to verify whether that facade is sufficient for your needs, because we don't plan on spending the time to audit it. - -- Don't work too hard, make some time for fun as well! Eric Blake [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk2hZEACgkQ84KuGfSFAYAuwQCcDoGIv1AEN2Le5gRGF4+VYb72 TaQAn1o4eSoPoaoAjRDGak8cPlSmhNg8 =xPny -END PGP SIGNATURE- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
No, we mean get c:/dir/file or get c:\dir\file. (or put //hostname/share/file, shudder.) This is what I get: sftp cd C:/ Couldn't canonicalise: No such file or directory sftp get C:/foo Couldn't stat remote file: No such file or directory File /home/Administrator/C:/foo not found. Thanks. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
This is what I get: sftp cd C:/ Couldn't canonicalise: No such file or directory sftp get C:/foo Couldn't stat remote file: No such file or directory File /home/Administrator/C:/foo not found. More to come: sftp cd /cygdrive sftp ls -al dr-xr-xr-x1 root root0 Jan 1 1970 . drwxr-xr-x5 root root0 Dec 1 13:17 .. *** note c/ is missing here *** sftp cd c Couldn't canonicalise: No such file or directory sftp put foo C:/ Uploading foo to /cygdrive/C:/ Couldn't get handle: No such file or directory -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to TheO on 12/3/2008 6:29 AM: No, we mean get c:/dir/file or get c:\dir\file. (or put //hostname/share/file, shudder.) This is what I get: sftp cd C:/ Couldn't canonicalise: No such file or directory That's with /. What about with \? The cygwin dll sometimes treats the two separators differently, where using \ is more likely to bypass cygwin checks. And what about Brian's other point - if sshd has a security bug like a buffer overrun (shudder, but possible - look at how often openssh has been updated over the years to fix security holes as soon as someone identifies one), then the attacker merely need exploit the buffer overrun to inject code that calls a native Windows API. Harder to exploit? Yes. But certainly _much_ more of a worry than whether or not you have hidden undesirable file names from honest users. - -- Don't work too hard, make some time for fun as well! Eric Blake [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk2jBkACgkQ84KuGfSFAYAZqQCeOq4Xd19ThRoXeKNRnEmJKhRZ mDEAoJ2UdYEHXhYBLfKWrzvuhQbWXCyN =ttsH -END PGP SIGNATURE- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Eric Blake wrote: That's with /. What about with \? The cygwin dll sometimes treats the two separators differently, where using \ is more likely to bypass cygwin checks. Don't forget the other variants, like \\.\c:\foo\bar \\./c:/foo/bar \??\c:\foo\bar \??/c:\foo\bar \??/c:/foo/bar Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Don't forget the other variants, like \\.\c:\foo\bar \\./c:/foo/bar \??\c:\foo\bar \??/c:\foo\bar \??/c:/foo/bar I will try different variants definitely. Unfortunately I can only give the feedback tomorrow as I am away from the office now. Thanks for your input. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
And what about Brian's other point - if sshd has a security bug like a buffer overrun (shudder, but possible - look at how often openssh has been updated over the years to fix security holes as soon as someone identifies one) Such hole would affect all OpenSSH implementation. Even the Linux version. Am I correct? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
And what about Brian's other point - if sshd has a security bug like a buffer overrun (shudder, but possible - look at how often openssh has been updated over the years to fix security holes as soon as someone identifies one) Such hole would affect all OpenSSH implementation. Even the Linux version. Am I correct? On one level, yes - if the bug is in the sshd code, then there is a good chance all OpenSSH ports would have the same buffer overflow bug (unless the bug is in a platform-dependent #ifdef section). But on another level, _no_, and that is what we are trying to tell you. On Linux, if someone can exploit a buffer overflow, ALL they can corrupt is the chroot jail - the rest of your system is _untouched_. On Cygwin, if someone can exploit a buffer overflow, the ENTIRE OS is up for grabs, and they can alter any file they want, because the OS is not enforcing a chroot jail. One other point: on Cygwin, you have the potential for a buffer overflow in cygwin1.dll (we hope not, but it is possible), which could mean that the cygwin sshd is vulnerable based on the .dll it links against while the same version of sshd on Linux is secure. I suppose the converse is true - a buffer overflow in glibc could make the Linux sshd vulnerable while the Cygwin version is fine; but remember that more people tend to audit glibc code than cygwin code. -- Eric Blake -- View this message in context: http://www.nabble.com/Finally-managed-to-create-a-jailed-SFTP-server%2C-but-how-secure--tp20775267p20815125.html Sent from the Cygwin list mailing list archive at Nabble.com. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: Larry Hall wrote: No, you cannot hide it. It is created by Cygwin itself as a convenience to access the virtual 'cygdrive' directory. This is one of a number of virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports. See the description of Special filenames in the User's Guide for more details. I understand why all these virtual directories are necessary at the absolute '/' root level. But here I refer to /cygdrive which is created inside the jail directory, which means in absolute path, /jail/cygdrive (/jail being the root of my jail). Inside the jail, only /cygdrive is created, no other virtual directories (/proc or /dev/xxx) or files are created. Created or not, they exist. Try it. In 1.7, there is a new authentication module that will solve these and other pubkey authentication problems. But 1.7 is not currently released and it's release date is not decided. Thanks for this input. I suppose that to be on safe side, I must restrict it to password based authentication only if I use the current Cygwin. This removes the impersonation piece of the puzzle, yes. And finally one more question. I am only aware of two subsystems supported by sshd more or less implicitely; sftp and shell (interactive logon). Is there any other subsystems which are handled by sshd implicitely (without me having to add anything to /etc/sshd_config)? Can't answer that. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
If you're happy with the results, that's fine. However, you asked how secure SFTP was. The answer is as I've said. Cygwin is not the O/S. It cannot enforce restrictions on the O/S. Only the O/S can restrict or grant access to users. Thanks Larry, The reason why Cygwin is ideal for me to provide SFTP service is that it provides a free SFTP solution for Windows platform. My programmers come from Windows world, they are more familiar with .NET than Unix but sometimes, they are required to build a system featuring an SFTP server where our user can upload his files to be processed by our .NET application and finally, he download the response files from SFTP. Cygwin makes this possible in an economic way. I have not attempted to set up a jailed SFTP environment on Cygwin. It may be that what you've done hems the user into the area you want when he/she is using Cygwin tools. However, this does not restrict the user with Windows native tools. If he/she is able to leverage those inside the jail, then the user has the keys he/she wants to get out. He might be able to upload nasty tools but What else could he possibly do if he has access to only a restricted SFTP subsystem? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Did you verify whether DOS paths, such as c:\, were also blocked? No it's not blocked from Windows. if I log on locally, I can access /cygdrive/c without any problem. But I can't using jailed SFTP, even if I use my Administrator account. To repeat what we have already told you multiple times: cygwin does NOT enforce the jail. And without OS support to do so, we are not in a position to state that your jail is secure; so with security in mind, you must consider the SFTP connection, even in its chroot jail, to be only as secure as the restricted rights that you are able to enforce on the Windows user id in use when you make the SFTP connection. Please don't get me wrong here Eric. I am just trying to see the suitability of Cygwin as the ultimate SFTP server in Windows. SFTP is becoming more and more popular amongst our customers. In the last 6 months, I received 3 requests to build system with integrated SFTP server in it. To be honest with you, I have never come accross this word before that time. Choosing full Unix based solution is for the time being, out of question for me as my programmers don't speak Unix at all. If I know how to build a safe SFTP server with Cygwin, then I will share this experience with others. At least I can contribute to make Cygwin a little bit more popular. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: If you're happy with the results, that's fine. However, you asked how secure SFTP was. The answer is as I've said. Cygwin is not the O/S. It cannot enforce restrictions on the O/S. Only the O/S can restrict or grant access to users. Thanks Larry, The reason why Cygwin is ideal for me to provide SFTP service is that it provides a free SFTP solution for Windows platform. My programmers come from Windows world, they are more familiar with .NET than Unix but sometimes, they are required to build a system featuring an SFTP server where our user can upload his files to be processed by our .NET application and finally, he download the response files from SFTP. Cygwin makes this possible in an economic way. I understand. If SFTP under Cygwin fits your needs and you can live with the risks, then you should continue using it. I certainly don't understand your application or its requirements for communication but given your description above, it seems to me that 'scp' would serve your purpose and wouldn't rely on a limited 'chroot' capabilities. But I'm assuming you've already thought of that and have ruled it out for your own reasons. I have not attempted to set up a jailed SFTP environment on Cygwin. It may be that what you've done hems the user into the area you want when he/she is using Cygwin tools. However, this does not restrict the user with Windows native tools. If he/she is able to leverage those inside the jail, then the user has the keys he/she wants to get out. He might be able to upload nasty tools but What else could he possibly do if he has access to only a restricted SFTP subsystem? Good question. A better one is are you willing to accept the risk? I also want to once again point out that a restricted FTP subsystem does not have all the same restrictions as it would in a UNIX/Linux environment. Only you can decide whether this difference is something you can live with. But in terms of security, Cygwin's SFTP is not as secure as UNIX/Linux versions with the full O/S support for 'chroot'. I'm not trying to talk you out of anything. I'm just answering your original question and providing you with the facts. It's up to you how you want to apply them to your situation. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
I understand. If SFTP under Cygwin fits your needs and you can live with the risks, then you should continue using it. I certainly don't understand your application or its requirements for communication but given your description above, it seems to me that 'scp' would serve your purpose and wouldn't rely on a limited 'chroot' capabilities. But I'm assuming you've already thought of that and have ruled it out for your own reasons. Yes, SFTP is the only choice for me here. Actually nowadays , at least in my organization, SFTP becomes the most preferable method to transfer file securely. Its popularity leaves behind FTP over VPN and FTP/SSL (another secured version of FTP). Unfortunately I can't use 'scp'. Good question. A better one is are you willing to accept the risk? I also want to once again point out that a restricted FTP subsystem does not have all the same restrictions as it would in a UNIX/Linux environment. Only you can decide whether this difference is something you can live with. Risk is exactly my main concern here. That's why I tried myself to find any possible hole using this set up. I even considered once to use coLinux (www.colinux.org) which offers native Linux inside Windows, but after trying to install it myself I found it to be too burdensome for my (sob) Windows support team to deploy and maintain it. Especially when Windows itself is actually running on top of VMWare virtual machine. Cygwin seems extremely light in comparison to it and it runs as a normal Win32 process. I understand that in theory Cygwin, as a normal Win32 process, can't offer more protection that what Windows can. Eventhough Windows itself, if properly configured, is a very secure system. For example, Windows ACL is more complex than the standard user/group/other rwx flag on *nix. But don't flame me for saying this please. I don't want to start any issue related to Windows vs *nix here. The thing is as a newbie in Cygwin, I don't know the exact inner working of Cygwin. I don't know what Cygwin does when it is chroot'ing. I know very little of what it does when I log on using public key authentication (it runs under sshd account as opposed to user account). I don't know why under chroot setting, Cygwin creates /cygdrive under my /jail directory. And I don't know what one can do if he has read access to it. I am just an ordinary Cygwin user from this perspective with no knowledge of Cygwin internal process. That's why I need input from those who have more visibility than me to point me to the right direction. I promise to help promote Cygwin in Windows community if I can find a way to make it as a secure SFTP server :). I am sure a lot of Windows users will prefer Cygwin to other commercial softwares. Thanks again. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: Risk is exactly my main concern here. snip I understand that in theory Cygwin, as a normal Win32 process, can't offer more protection that what Windows can. snip The thing is as a newbie in Cygwin, I don't know the exact inner working of Cygwin. I don't know what Cygwin does when it is chroot'ing. I know very little of what it does when I log on using public key authentication (it runs under sshd account as opposed to user account). I don't know why under chroot setting, Cygwin creates /cygdrive under my /jail directory. And I don't know what one can do if he has read access to it. I am just an ordinary Cygwin user from this perspective with no knowledge of Cygwin internal process. That's why I need input from those who have more visibility than me to point me to the right direction. And you've been pointed in that direction. Sorry if it falls short of your hopes but at the moment at least, that's the best advice we can give you. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On Tue, Dec 02, 2008 at 02:18:07PM -0800, TheO wrote: I promise to help promote Cygwin in Windows community if I can find a way to make it as a secure SFTP server :). I am sure a lot of Windows users will prefer Cygwin to other commercial softwares. I'm glad you're finding some use for Cygwin but we really aren't incredibly interested in people who want to use it for reasons other than as a POSIX emulation layer. People who are used to Windows are undoubtedly going to be confused by some of the conventions we've adopted and this will often lead to excessive mailing list traffic as we try to deal with misconceptions. Also, no one enjoys the inevitable It seems to me that you should be more supportive of people who want to use Cygwin this way email that usually follows attempts to explain what the project is all about. cgf -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Many thanks for all your responses so far and I apologize if I seem to be very persistent with my questions in this thread. Maybe it's my fault to pose a such general question. Maybe I should be more specific in my questions, asking many smaller targeted questions instead of one big one. For example; - Why does internal-sftp subsystem creates /cygdrive inside the jailed directory? - Who creates it? sshd or internal-sftp? - Why /cygdrive is needed in the jailed environment? - What harm can one do via /cygdrive eventhough it looks empty? - Is it possible to hide it in the jailed environment? How? - internal-sftp seems to have visibility outside the jail directory as it can list the owner and group name of the objects inside the jail directory although I haven't copied /etc/passwd and /etc/group to the jailed directory. How can this be possible? - If I log on using public key authentication, sshd with its internal- sftp embedded in it runs using sshd account (correct me if I'm wrong here). But how can it read/write to a directory which does not belong to that account and from which I revoked group and other r/w rights? - etc etc Maybe if I know the answer to some of these puzzles, I would be able to figure out better what kind of security I can expect from SFTP on Cygwin. Do you think I'd better start 2-3 new threads with specific questions in each? Or shall I just carry on with this thread. Your suggestions are always more than welcome in this quest. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: Many thanks for all your responses so far and I apologize if I seem to be very persistent with my questions in this thread. Maybe it's my fault to pose a such general question. Maybe I should be more specific in my questions, asking many smaller targeted questions instead of one big one. For example; - Why does internal-sftp subsystem creates /cygdrive inside the jailed directory? - Who creates it? sshd or internal-sftp? - Why /cygdrive is needed in the jailed environment? - What harm can one do via /cygdrive eventhough it looks empty? - Is it possible to hide it in the jailed environment? How? No, you cannot hide it. It is created by Cygwin itself as a convenience to access the virtual 'cygdrive' directory. This is one of a number of virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports. See the description of Special filenames in the User's Guide for more details. - internal-sftp seems to have visibility outside the jail directory as it can list the owner and group name of the objects inside the jail directory although I haven't copied /etc/passwd and /etc/group to the jailed directory. How can this be possible? Hasn't this been answered already? 'chroot' is not secure so setting up a jail based on it is not secure. Is there some part of this statement that's not clear to you? - If I log on using public key authentication, sshd with its internal- sftp embedded in it runs using sshd account (correct me if I'm wrong here). But how can it read/write to a directory which does not belong to that account and from which I revoked group and other r/w rights? Using 'ssh' with public key authentication means that Cygwin impersonates the desired user through some O/S trickery. You can get some details of this in the User's Guide as well. See the Switching User Context section. However in the 1.5.x series of the Cygwin package, there are places where the user that started the service bleeds through. In 1.7, there is a new authentication module that will solve these and other pubkey authentication problems. But 1.7 is not currently released and it's release date is not decided. Maybe if I know the answer to some of these puzzles, I would be able to figure out better what kind of security I can expect from SFTP on Cygwin. I will say this as clear as I can - you can expect _incomplete_ security with Cygwin's SFTP because of missing O/S support for 'chroot'. If you want to split hairs over how much insecurity you're willing to accept, that's fine but that's going to have to be something you determine for yourself through experimentation. No one has been looking at SFTP to try to figure out all the places where it leaks. So you'd be breaking new ground here. In addition, you need to also accept the fact that the state of insecurity as provided by 'chroot' may change (i.e. worsen) over time. If you're not willing to accept no security as an answer to your initial question, you can save yourself allot of time. Do you think I'd better start 2-3 new threads with specific questions in each? Or shall I just carry on with this thread. I'm skeptical as to the value of prolonging the thread. From the beginning you've been told that Cygwin's SFTP is insecure. I would recommend that you decide for yourself whether an insecure SFTP is a viable alternative for you. A no answer terminates this thread for sure. I'm not sure where a yes leaves things in your mind. I try not to read minds. ;-) -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Hi again, I am afraid I have to ask for clarification again :(, I hope this is the last time before I am on my own with this: No, you cannot hide it. It is created by Cygwin itself as a convenience to access the virtual 'cygdrive' directory. This is one of a number of virtual directories ('/proc' and '/dev' come to mind) that Cygwin supports. See the description of Special filenames in the User's Guide for more details. I understand why all these virtual directories are necessary at the absolute '/' root level. But here I refer to /cygdrive which is created inside the jail directory, which means in absolute path, /jail/cygdrive (/jail being the root of my jail). Inside the jail, only /cygdrive is created, no other virtual directories (/proc or /dev/xxx) or files are created. In 1.7, there is a new authentication module that will solve these and other pubkey authentication problems. But 1.7 is not currently released and it's release date is not decided. Thanks for this input. I suppose that to be on safe side, I must restrict it to password based authentication only if I use the current Cygwin. And finally one more question. I am only aware of two subsystems supported by sshd more or less implicitely; sftp and shell (interactive logon). Is there any other subsystems which are handled by sshd implicitely (without me having to add anything to /etc/sshd_config)? Thanks again. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Finally managed to create a jailed SFTP server, but how secure?
Hello, I followed this discussion, but does an ftp server exist with a possibility to lock a user in its home directory preventing him to get out of this jail. As I see this discussion I suppose that this is not possible. Seems that someone needs to add this code to an ftp server. Kind regards, Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Hall (Cygwin) Sent: dinsdag 2 december 2008 17:56 To: cygwin@cygwin.com Subject: Re: Finally managed to create a jailed SFTP server, but how secure? TheO wrote: If you're happy with the results, that's fine. However, you asked how secure SFTP was. The answer is as I've said. Cygwin is not the O/S. It cannot enforce restrictions on the O/S. Only the O/S can restrict or grant access to users. Thanks Larry, The reason why Cygwin is ideal for me to provide SFTP service is that it provides a free SFTP solution for Windows platform. My programmers come from Windows world, they are more familiar with .NET than Unix but sometimes, they are required to build a system featuring an SFTP server where our user can upload his files to be processed by our .NET application and finally, he download the response files from SFTP. Cygwin makes this possible in an economic way. I understand. If SFTP under Cygwin fits your needs and you can live with the risks, then you should continue using it. I certainly don't understand your application or its requirements for communication but given your description above, it seems to me that 'scp' would serve your purpose and wouldn't rely on a limited 'chroot' capabilities. But I'm assuming you've already thought of that and have ruled it out for your own reasons. I have not attempted to set up a jailed SFTP environment on Cygwin. It may be that what you've done hems the user into the area you want when he/she is using Cygwin tools. However, this does not restrict the user with Windows native tools. If he/she is able to leverage those inside the jail, then the user has the keys he/she wants to get out. He might be able to upload nasty tools but What else could he possibly do if he has access to only a restricted SFTP subsystem? Good question. A better one is are you willing to accept the risk? I also want to once again point out that a restricted FTP subsystem does not have all the same restrictions as it would in a UNIX/Linux environment. Only you can decide whether this difference is something you can live with. But in terms of security, Cygwin's SFTP is not as secure as UNIX/Linux versions with the full O/S support for 'chroot'. I'm not trying to talk you out of anything. I'm just answering your original question and providing you with the facts. It's up to you how you want to apply them to your situation. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Finally managed to create a jailed SFTP server, but how secure?
Hi, I finally managed to create a chroot'ed (jailed) SFTP environment under Cygwin. Here are my steps which may be useful for others: - All directories from root to the chroot directory must be owned by UID 0 and GID 0. For example, if you want to jail users in /jail then / and /jail must belong to (0, 0). In my setup, I set Administrator user to be (0, 0) in /etc/passwd. - The home directory for user as declared in /etc/passwd must be created under this chroot directory too, for example, /jail/home/user must exist too and belong to user. - Use internal-sftp for Subsystem sftp So my minimum directory structure is as follow: /jail /jail/home /jail/home/user /home/user If you want to enable public key authentication, then the following must exist too: /home/user/.ssh /home/user/.ssh/authorized_keys My /etc/sshd_config contains: ChrootDirectory /jail Subsystem sftp internal-sftp After configuring the user's public key in /home/user/.ssh/authorized_keys, he can log on using SFTP with his private key and could see only the following limited directory structure: / /home /home/user /cygdrive Yes, /cygdrive is there too and stragely but fortunately, it is empty. I didn't copy /bin/bash to the jailed directory. So interactive session using SSH will fail (which is what I want). As far as I am concerned, user's view is restricted enough to what I allow them to see and do. If I revoke user's rights to write to any directory except /jail/home/user, then he should only be able to upload files to his jailed home directory. My question is, how secure is Cygwin as SFTP server set up this way? Is there any security hole I don't know yet? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote: snip As far as I am concerned, user's view is restricted enough to what I allow them to see and do. If I revoke user's rights to write to any directory except /jail/home/user, then he should only be able to upload files to his jailed home directory. My question is, how secure is Cygwin as SFTP server set up this way? Is there any security hole I don't know yet? Security from the standpoint of access to the remote file system and processes come from the security measures put in place under Windows on the remote system. SFTP under Cygwin will not provide this. It only provids encrypted transport. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Larry Hall (Cygwin) wrote: TheO wrote: snip As far as I am concerned, user's view is restricted enough to what I allow them to see and do. If I revoke user's rights to write to any directory except /jail/home/user, then he should only be able to upload files to his jailed home directory. My question is, how secure is Cygwin as SFTP server set up this way? Is there any security hole I don't know yet? Ugh! Looks like I'm challenged in the proof-reading department this morning! Security from the standpoint of access to the remote file system and processes come from the security measures put in place under Windows ^ s on the remote system. SFTP under Cygwin will not provide this. It only provids encrypted transport. ^ e -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
Security from the standpoint of access to the remote file system and processes come from the security measures put in place under Windows on the remote system. SFTP under Cygwin will not provide this. It only provids encrypted transport. According to my observation, regardless of his authentication (public key or password), he can only see a limited number of directories within the jail environment. The only directory which is virtually added by Cygwin during his login, and therefore beyond my control, is /cygdrive. Luckily enough for me, it is empty so in my opinion the user can't traverse my harddisk. I did some simple tests to break out my jail. From my SFTP session, I tried to do the following: sftp cd /cygdrive sftp cd c Couldn't canonicalise: No such file or directory sftp mkdir c Couldn't create directory: No such file or directory which is good. But maybe my simple tests are not enough. Maybe there are some special file names which are not mapped to any directory or file but are interpreted internally by Cygwin to designate some directories outside the jail. Thanks again. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
On 12/01/2008, TheO wrote: According to my observation, regardless of his authentication (public key or password), he can only see a limited number of directories within the jail environment. The only directory which is virtually added by Cygwin during his login, and therefore beyond my control, is /cygdrive. Luckily enough for me, it is empty so in my opinion the user can't traverse my harddisk. If you're happy with the results, that's fine. However, you asked how secure SFTP was. The answer is as I've said. Cygwin is not the O/S. It cannot enforce restrictions on the O/S. Only the O/S can restrict or grant access to users. I have not attempted to set up a jailed SFTP environment on Cygwin. It may be that what you've done hems the user into the area you want when he/she is using Cygwin tools. However, this does not restrict the user with Windows native tools. If he/she is able to leverage those inside the jail, then the user has the keys he/she wants to get out. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Finally managed to create a jailed SFTP server, but how secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to TheO on 12/1/2008 12:13 PM: I did some simple tests to break out my jail. From my SFTP session, I tried to do the following: sftp cd /cygdrive sftp cd c Couldn't canonicalise: No such file or directory Did you verify whether DOS paths, such as c:\, were also blocked? But maybe my simple tests are not enough. Maybe there are some special file names which are not mapped to any directory or file but are interpreted internally by Cygwin to designate some directories outside the jail. To repeat what we have already told you multiple times: cygwin does NOT enforce the jail. And without OS support to do so, we are not in a position to state that your jail is secure; so with security in mind, you must consider the SFTP connection, even in its chroot jail, to be only as secure as the restricted rights that you are able to enforce on the Windows user id in use when you make the SFTP connection. - -- Don't work too hard, make some time for fun as well! Eric Blake [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0xTAACgkQ84KuGfSFAYDx0wCeNq+nuk/bG/Od4pjtawvWAD6T prkAoKrWCWia6GxJWAFm8ZF3Y0IUl1uw =orVG -END PGP SIGNATURE- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/