The SFTP component in OpenSSH provides a chroot-feature for hardening. It is stated in the documentation that the chroot directory must not be writable by the user account, though specific files and subdirectories within it are allowed. Some people were questioning the read-only restriction. halfdog documents some analysis which is the result of discussions on openssh-dev mailing list. Here are some arguments about why these restrictions still makes sense in 2018.
Related Stories
OpenSSH 8.8 has been released and with it comes a heads up that there will be major changes to how the scp utility operates, starting in one of the next releases. Specifically, scp has been retooled to use the SFTP protocol under the hood. This will leave most behavior unchanged and most times there will be no perceived difference. However, some scripts which make use of globbing might need minor adjustment to work properly in the future:
A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug- compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
(Score: 0) by Anonymous Coward on Wednesday January 10 2018, @03:11PM (5 children)
Discussions on a mailing list qualify as news now?
(Score: 2) by pkrasimirov on Wednesday January 10 2018, @03:42PM (1 child)
Yes, as long as there are valid arguments.
(Score: 4, Insightful) by JoeMerchant on Wednesday January 10 2018, @03:54PM
I'd rather catch a good story off of mailing list once in awhile instead of endless parroting of the Reuters feed.
🌻🌻 [google.com]
(Score: 2) by canopic jug on Wednesday January 10 2018, @04:20PM
No, but analysis of the issues raised in those discussoins is news. The analisys answers a question that comes up regularly in regards to locked-down SFTP sites and actually walks through why and how the restrictions are needed.
tldr; CVE 2009-2904
Money is not free speech. Elections should not be auctions.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday January 10 2018, @04:35PM
Well, how else do you plan on getting news that matters?
You think the mainstream press is being accurate and honest currently? Are you sure there aren't important viewpoints that the mainstream press is attempting to disappear and wallpaper over because they don't fit the Column A/Column B exclusive divide they're trying to create and box everybody in to?
Watch for some narrative convergence later this year. We'll learn that not only are all men in tech jobs rich, overpaid misogynists, but that they're all alt-righters, too. And homosexuals. And they use encryption. Only a misogynist who is literally Hitler and homosexual would use encryption. Watch for all these narratives to converge.
The mainstream press is destroying democracy. Stop letting them.
(Score: 2, Offtopic) by realDonaldTrump on Wednesday January 10 2018, @04:41PM
A lot of our newspapers are turning into cyber sites. The failing Daily News was bought by a cyber site. But you look at those sites, they're mostly about our entertainment & sports celebrities, and the terrible wave of immigration & crime we're suffering through. And sometimes a little bit about cyber, the cyber that regular folks do. These EMAILS are about cyber for cyber people. You can tell because there's no picture. The stories for regular people have a picture of a keyboard, a picture of a Bitcoin, or a picture of the ones and zeros. This one doesn't. Very hard to read, but maybe someone wants to!
(Score: 2) by FatPhil on Wednesday January 10 2018, @05:01PM (1 child)
Stupid setup is protected from harm, good.
"Therefore a test chroot was created with bin, dev, etc, lib, lib64, proc, tmp, usr and var directories created and world-writable."
So you deliberately contrived a different stupid setup?
Why?!?!?!?
I can create an infinitude of stupid setups that are dangerous, why is this one interesting? Has it been seen in the wild? If not, you're analysing a non-problem.
And part 2: "As soon as there exists a cooperating process outside the chroot, ..."
You're fucked already, it's not your machine any more, the chroot is irrelevant.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by Anonymous Coward on Wednesday January 10 2018, @06:54PM
Yes, a very similar one, just different enough to evade the check.
To demonstrate that such setups are in fact stupid. As TFA says:
I think you've somehow misunderstood the point of this exercise.
No, it is relevant. He's demonstrating how an unprivileged process within a poorly-configured chroot, combined with an unprivileged process outside the chroot, can allow both processes to gain root privileges.
Yes, sane people shouldn't need convincing that world-writable chroots are a bad plan. But not everyone is sane, so this guy is demonstrating it for them.