New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable SFTP chroot support #308
Conversation
@NoMoreFood FYI |
contrib/win32/win32compat/fileio.c
Outdated
if ((wcslen(final_path) < wcslen(chroot_pathw)) || | ||
memcmp(final_path, chroot_pathw, 2 * wcslen(chroot_pathw)) != 0 || | ||
final_path[wcslen(chroot_pathw)] != '\\') { | ||
debug4("access denied due to attempt to escape chroot jail"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having it as debug() will help ssh admins to run some metrics and figureout the potential attacks..
I'm prepping for two weeks of paternity leave so I'm a bit preoccupied at my day job this week; I'll try to take take a look soon though. The biggest thing I'm worried about is how you addressed attempted new file creation outside of the jail by escaping using a relative path (e.g. ../../) when the target file does not exist. For example: scp source.file user@host:../../target.file Even in my proof of concept, I didn't handle this ideally (i.e., it allowed the file to be created, but didn't return it's handle). In this scenario, the best I could think of doing was to split the path (i.e. trim off the file name), get the directory handle to obtain the normalized path, and then use that as a comparison. Regardless, do you think you've addressed this sort of thing in your code? |
@NoMoreFood a very good point. I was only testing with sftp so far which would first resolve the path via realpath that would reject stepping up and out of root. So yes, with scp, I would end up creating the file and subsequently denying access to it (just like in your case) I can fix this gap, by doing realpath resolution in resolved_path_utf16 which will block this. Will push out that change and add a test case tomorrow. |
Alright, resolved_path_utf16 now goes through realpath where the core chroot resolution logic takes place. realpath rejects any resolutions outside of chroot jail. Tested with scp too. |
Merging these to unblock session refactoring changes. Do review and I can address feedback in a later PR. |
I haven't look at the code for any potential holes, but my testing looks good so far. Symbolic links still allow you to escape the jail, but it may be reasonable to just to consider this a feature limitation (and document it accordingly). Normal users can't create symbolic links unless security policy is altered from the defaults so it's not a major security concern in my opinion. |
So how do we actually use this? I mean what are the instructions. I have a sftp user that logs in and sees everything. I want them to be locked into one directory. What do I literally need to do to make that happen? |
@swills1 - The code changes only restrict sftp session, scp session but not ssh sessions. You can modify sshd_config and use MatchUser block to restrict sftp session, scp session. |
@bagajjal I don't see MatchUser block example? |
@bagajjal doesn't seem to work.
|
Try this, Match User test For test user, you are restricting to use SFTP. |
Ah, I am just trying to keep them locked to one folder. Right now they see everything, and I can't have that. They already have to use sFTP or they can't login. |
for other people also here: please refer to https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config all user name should be lower case. this spend me very long time to check. |
Hi @tianxiaaiwojs, your link URL is different from the text displayed, you meant to link to: |
Hi everyone,
My configuration (fails at all) but I want to share it, expecting for someone who can show what's wrong? What we need to know to get that kind of restriction, that everybody wants but the most of us can't..
The Open SSH Server main binaries files reside at : C:\Program Files\OpenSSH-Win64
|
PowerShell/Win32-OpenSSH#190
PowerShell/Win32-OpenSSH#292