You also need to try symlinks that point outside the jail. Try
creating them both from the shell and within SFTP.
Just got back from my Christmas shopping and now back to work :)
I don't know how to create a symlink from inside SFTP so I did it only from
Console. I have created two
What about:
$ sftp localhost
Connecting to localhost...
sftp symlink 'C:\Windows' bar
sftp symlink C:\foobar foobar
sftp symlink C:\windows windows
sftp ls -al
drwxr-xr-x2 root root0 Dec 5 19:31 .
drwxr-xr-x3 root root0 Dec 4
What about:
$ sftp localhost
Connecting to localhost...
sftp symlink 'C:\Windows' bar
sftp cd bar
Sorry I missed out the ', here we go again with ' this time:
sftp symlink 'C:\foobar' foobar
sftp symlink 'C:\windows' windows
sftp ls -al
drwxr-xr-x2 root root0 Dec 5
What about:
$ sftp localhost
Connecting to localhost...
sftp symlink 'C:\Windows' bar
sftp cd bar
Sorry I missed out the ', here we go again with ' this time:
sftp symlink 'C:\foobar' foobar
sftp symlink 'C:\windows' windows
sftp ls -al
drwxr-xr-x2 rootroot0 Dec 5
From what we've seen so far, it seems that SFTP responds as expected.
That is all that I want to know.
From this point forward, we must try to close all other access ways
that does not belong to the scenario... but those are not excuses to
not implement the SFTP chroot.
Actually, my real
THis isn't a question of being good or badly implemented, it's the
simple fact that it doesn't (and can't) provide what people think it
does. Chroot is a bad fake on Cygwin. Even a super cool implementation
doesn't change that.
I don't know how chroot is implemented but so far
if you are concerned about the cygdrive text there is a registry entry
where
you can set that to whatever you want including . That is what I do. I
would
tell you what it is but my windows machine is not here right now. Then when
you
ls / you get /c, /d etc instead of /cygdrive/c,
I believe it is still supported for Cygwin 1.5. I think what has
happened is the Cygwin DLL created an actual /cygdrive directory (which
is useful for things like bash completion) in your chroot jail. Now that
you've changed the Cygdrive prefix, delete that directory and all should
be good.
But when I tried to restart sshd, I got this message:
# net start sshd
bash: /cygdrive/c/WINDOWS/system32/net: No such file or directory
Do I need to change somewhere else too?
Ignore my previous message. It worked after I closed the last
Console and open a new one.
Many thanks
I will try different variants definitely. Unfortunately I can only give the
feedback tomorrow as I am away from the office now.
Thanks for your input.
Hi again,
I'm sorry I couldn't come back earlier. All my tests (at the end of this post
shows negative result). First, I try to change
I understand why all these virtual directories are necessary at the absolute
'/' root level. But here I refer to /cygdrive which is created inside the
jail
directory, which means in absolute path, /jail/cygdrive (/jail being the
root
of my jail). Inside the jail, only /cygdrive is
This is not valid reasoning, as Eric Blake already pointed out you can
still access files outside of a chroot even if you're still going
through the Cygwin DLL by using Win32 style pathnames since Cygwin
passes those through untouched. Whether or not you can trick the sftp
code into
No, we mean get c:/dir/file or get c:\dir\file. (or put
//hostname/share/file, shudder.)
This is what I get:
sftp cd C:/
Couldn't canonicalise: No such file or directory
sftp get C:/foo
Couldn't stat remote file: No such file or directory
File
This is what I get:
sftp cd C:/
Couldn't canonicalise: No such file or directory
sftp get C:/foo
Couldn't stat remote file: No such file or directory
File /home/Administrator/C:/foo not found.
More to come:
sftp cd /cygdrive
sftp ls -al
dr-xr-xr-x
Don't forget the other variants, like
\\.\c:\foo\bar
\\./c:/foo/bar
\??\c:\foo\bar
\??/c:\foo\bar
\??/c:/foo/bar
I will try different variants definitely. Unfortunately I can only give the
feedback tomorrow as I am away from the office now.
Thanks for your input.
--
And what about Brian's other point - if sshd has a security bug like a
buffer overrun (shudder, but possible - look at how often openssh has been
updated over the years to fix security holes as soon as someone identifies
one)
Such hole would affect all OpenSSH implementation. Even the
If you're happy with the results, that's fine. However, you asked how
secure SFTP was. The answer is as I've said. Cygwin is not the O/S.
It cannot enforce restrictions on the O/S. Only the O/S can restrict
or grant access to users.
Thanks Larry,
The reason why Cygwin is ideal for
Did you verify whether DOS paths, such as c:\, were also blocked?
No it's not blocked from Windows. if I log on locally, I can access /cygdrive/c
without any problem. But I can't using jailed SFTP, even if I use my
Administrator account.
To repeat what we have already told you
I understand. If SFTP under Cygwin fits your needs and you can live
with the risks, then you should continue using it. I certainly don't
understand your application or its requirements for communication but
given your description above, it seems to me that 'scp' would serve your
purpose
Many thanks for all your responses so far and I apologize if I
seem to be very persistent with my questions in this thread.
Maybe it's my fault to pose a such general question. Maybe I should
be more specific in my questions, asking many smaller targeted
questions instead of one big one.
Hi again,
I am afraid I have to ask for clarification again :(, I hope this is the last
time before I am on my own with this:
No, you cannot hide it. It is created by Cygwin itself as a convenience
to access the virtual 'cygdrive' directory. This is one of a number of
virtual
Hi,
I finally managed to create a chroot'ed (jailed) SFTP environment under Cygwin.
Here are my steps which may be useful for others:
- All directories from root to the chroot directory must be owned by UID 0 and
GID 0. For example, if you want to jail users in /jail then / and /jail must
Security from the standpoint of access to the remote file system and
processes come from the security measures put in place under Windows
on the remote system. SFTP under Cygwin will not provide this. It
only provids encrypted transport.
According to my observation, regardless of his
According to TheO on 11/17/2008 2:24 PM:
Hi,
I have Cygwin with OpenSSH version 5.1p1-9 installed.
I managed to make ssh with chroot to work by using ChrootDirectory in
sshd_config and copying /bin/bash to the chroot directory.
chroot on cygwin is NOT a security measure; it is just an emulation
Hi Corina,
I agree with you on the fact that it's difficult to have full protection from
Cygwin for ssh login.
But my main concern is SFTP. What can a user do with SFTP if he is jailed in
Cygwin? He can only see, upload, download files in the allowed directories
using SFTP and can't execute
-
Hash: SHA1
According to TheO on 11/17/2008 2:24 PM:
Hi,
I have Cygwin with OpenSSH version 5.1p1-9 installed.
I managed to make ssh with chroot to work by using ChrootDirectory in
sshd_config and copying /bin/bash to the chroot directory.
chroot on cygwin is NOT a security measure
Hi Corinna,
I tried to set ChrootDirectory to / (the root directory) which normally is
identical to no jail (and therefore I don't need to copy anything to
user's home directory).
But it didn't work for SFTP; it worked for SSH though.
Corinna Vinschen wrote:
: SFTP doesn't work with ChrootDirectory option set
To: cygwin@cygwin.com, [EMAIL PROTECTED]
Date: Monday, November 17, 2008, 9:33 PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to TheO on 11/17/2008 2:24 PM:
Hi,
I have Cygwin with OpenSSH version 5.1p1-9 installed.
I
Hi,
I have Cygwin with OpenSSH version 5.1p1-9 installed.
I managed to make ssh with chroot to work by using ChrootDirectory in
sshd_config and copying /bin/bash to the chroot directory.
But I can't make it work for SFTP even when I tried to set:
ChrootDirectory /
which I expect should be
on the subject already, or else I could
make some more examples suitable for cygwin compilation, which is a
great improvement (and Open Source and Free) over the windows tools! Let
me know what you think.\
Regards,
Theo Verelst
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe
for the clarifications. The instructions in this location
are very clear and I will be happy to try them out.
--theo
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http
in the documentation. Hopefully this saves some time for others who
apparently were looking for the same.
with best regards
Theo
--
Ericsson Research, Service Layer Technologies
KI/EAB/TGB,SE-164 80 Kista, Sweden
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports
Reini Urban wrote:
Theo Verelst schrieb:
I've started a sound generator package on Linux and Cygwin consisting
...
http://82.168.209.239/Soundtest
Why not use the standard puredata, which is also based on tcl/tk and
portaudio, but is stable and mature?
Well, as quick response, to begin with I
,
Theo Verelst
[EMAIL PROTECTED]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
people from the CYGWIN scene interested in this
event ?
I'd say cygwin is one of the main forces of open source software,
and worth while fighting the good battle of unobscuriating
software games with.
Greetings,
Theo Verelst
[EMAIL PROTECTED]
http://theover.tripod.com
--
Unsubscribe info
Hi everyone,
Does anyone know of a decent and generally useable setup with some USB
chip/board to get *normal* bit or byte-wise IO using a cygwin compiled PC
program and driver ? And if so, how...
Theo Verelst
http://home.tiscali.nl/theover
http://82.168.209.239/fosdem
http
the short error output.
Tia
Theo
--
/home/Theo/Pmspick2 [515] $ make
gcc -c -DWIN32 -D__WIN32__ -D_WINDOW pick.c
In file included from /usr/include/GL/glut.h:132,
from pick.c:58:
/usr/include/w32api
I just figured out with diff that there's probably just one line in
error, which I commented out, and there some stuff removed.
It compiled again, but I still wonder how it all is with glu.h !
Theo.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports
be
compiled with cygwin.
Regards,
Theo Verelst
[EMAIL PROTECTED]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
Christopher Faylor wrote:
On Sun, Jan 04, 2004 at 04:30:56PM +0100, Theo Verelst wrote:
Anyone know wether cygwin can pass file descriptors over unix sockets
(streams) so that a process can share its file descriptors with
another?
Nope. Sorry.
--
Is it not an option because of windows
Anyone know wether cygwin can pass file descriptors over unix sockets
(streams) so that a process can share its file descriptors with another?
Theo Verelst
[EMAIL PROTECTED]
latest diary page: http://195.241.128.75/Diary/ldiary15.html
--
Unsubscribe info: http://cygwin.com/ml
41 matches
Mail list logo