https://bugzilla.mindrot.org/show_bug.cgi?id=3715
--- Comment #9 from Joshua Hudson <[email protected]> --- "there's a fair bit of stuff in /etc that can be referenced quite late in a program's execution " Hmmm; do you mean while the sshd process hasn't dropped privileges yet? I went looking and found something very interesting: 1) setusercontext(..., LOGIN_SETUMASK) is almost certainly meant to be applied outside the jail not inside it. However that's not a function on my system so I could not detect the problem via testing. 2) In do_child we have this block: if (s->authctxt->force_pwdchange) { do_setusercontext(pw, s-> authctxt->role); child_close_fds(ssh); do_pwdchange(s); exit(1); } There's no way that works correctly with any ChrootDirectory value other than none, as do_pwdchange will be called inside the chroot jail rather than outside of it. At least it has a safe failure mode. it calls execl for passwd (no PATH search), which won't be there. Any other failure modes must happen after uid has been set to the user's value. While I'm pretty sure they can totally mess up the sftp server with a hostile /etc the user's really only attacking themselves. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
