Re: sshd privsep user still required?

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Bill Stewart <bstewart@iname.com>
To: cygwin@cygwin.com
Subject: Re: sshd privsep user still required?
Date: Wed, 13 Mar 2019 15:12:00 -0000	[thread overview]
Message-ID: <CANV9t=Q=HDAoVxjvSp9EqX0GttwxZLW6=OxO6o4eLzs8mejFRQ@mail.gmail.com> (raw)
In-Reply-To: <20190313085650.GS3785@calimero.vinschen.de>

On Wed, Mar 13, 2019 at 2:57 AM Corinna Vinschen wrote:

> > a) Why is it necessary to specify SYSTEM as user number 0 in the
> > /etc/password file?
> >
> > b) Why is the sshd account required?
>
> sshd checks for uid 0 and requires the sshd account when chroot is
> requested.
>
> > c) Why are /cygdrive and /dev directories visible when connecting using
a
> > sftp client?
>
> The Cygwin chroot implementation is pure fake.  It's not backed by the
> OS and it's failry easy to break out of the jail.  As such, the chroot
> implementation is deprecated and only kept for backward compatibility.
> I suggest not to use it.  It gives a wrong sense of security.

Right: I totally understand that Cygwin's chroot implementation does not
add any security (because chroot doesn't exist natively on Windows).

However: It's still the case that the user cannot bypass OS security even
if he or she "escapes" from the jail, right?

My goal is to restrict sftp browsing on the client side.

Using ChrootDirectory with "ForceCommand internal-sftp" in sshd_config
seems to accomplish this.

Is this not correct?

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next prev parent reply	other threads:[~2019-03-13 15:12 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-16 22:31 Bill Stewart
2019-01-17 14:23 ` Corinna Vinschen
2019-01-17 23:04   ` Charles Russell
2019-03-12 22:21 ` Bill Stewart
2019-03-13  8:56   ` Corinna Vinschen
2019-03-13 15:12     ` Bill Stewart [this message]
2019-03-13 15:29       ` Corinna Vinschen
2019-03-13 15:58         ` Bill Stewart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANV9t=Q=HDAoVxjvSp9EqX0GttwxZLW6=OxO6o4eLzs8mejFRQ@mail.gmail.com' \
    --to=bstewart@iname.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).