[scponly] Re: scponly 3.11 various bug fixes - patch released.

David Ramsden david at hexstream.eu.org
Tue May 25 20:38:23 EDT 2004


On Tue, May 25, 2004 at 06:25:51PM -0600, Paul Hyder wrote:
> >After a call to chroot(), chdir("/") MUST be called or the chroot() can
> >be broken out of. For me, the bug originally came about because I'm
> >using grsecurity which enforces a chdir("/") on any call to chroot() to
> >make it more secure.
> 
> Ok, I'm curious, in scponly without a shell how can you break out of
> the chroot?  (There is a lot scponly already won't let you do.
> Always interested in what might need to be added.)

Yes, this is true Paul. Sorry - I totally overlooked that! How silly of
me.
But as a matter of secure programming and principle I believe the
current implementation isn't technically "secure" (OK - nothing is) and
is therefore a security hole, if you like.

> 
> But your behavior does make sense if grsecurity is doing an explicit
> chdir.  (Otherwise you should already be in the home directory.)

Indeed. It's all falling in to place now.
There is no problem getting in to the chroot'ed home directory - it just
doesn't 1.) honour "/home/fred//incoming" style $HOME's 2.) make a call
to chdir(2) as it really should do.

Thanks for your feedback and interest. This is the first patch I've ever
released for any open source software so I hope what I'm rambling on
about is sound and the patch is OK :-)

Kind regards to you.
David.
-- 
 .''`.     David Ramsden <david at hexstream.eu.org>
: :'  :    http://david.hexstream.eu.org/
`. `'`     PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20040526/47c6cf22/attachment.bin


More information about the scponly mailing list