Mail Archives: cygwin/2008/11/19/06:10:24

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2008/11/19/06:10:24

X-Recipient: archive-cygwin AT delorie DOT com

X-Spam-Check-By: sourceware.org

Date: Wed, 19 Nov 2008 12:09:49 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: SFTP doesn't work with ChrootDirectory option set

Message-ID: <20081119110949.GE10351@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <49222995 DOT 5030609 AT byu DOT net> <731070 DOT 50337 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com>

MIME-Version: 1.0

In-Reply-To: <731070.50337.qm@web34701.mail.mud.yahoo.com>

User-Agent: Mutt/1.5.16 (2007-06-09)

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

On Nov 18 00:02, TheO wrote:
> Actually my real objective is to use chroot for SFTP. I am planning to disable ssh login in the final configuration, I was using ssh just for testing the sshd capability for chrooting.

http://cygwin.com/acromyns/#TOFU

It's not enough to have a bash in the jailed /bin dir.  You need at least
a copy of all DLLs the applications (including sftp-server) are using,
especially an exact copy of the Cygwin DLL.

Having said that...

Cygwin, being just another application layer, requires OS support for
certain functionality.  chroot is one of them.  chrooting isn't
supported by Windows.  All Cygwin is doing is to fake chroot for Cygwin
applications, as long as they are playing nice and only use POSIX
functions for file access.  As soon as they use Win32 functions, the
fake is uncovered.

Bottom line, you don't get any additional security by using chroot on
Cygwin.  You're just adding complexity to your setup.  Most of the time
you can use other measures to restrict the user anyway.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
Date:	Wed, 19 Nov 2008 12:09:49 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: SFTP doesn't work with ChrootDirectory option set
Message-ID:	<20081119110949.GE10351@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<49222995 DOT 5030609 AT byu DOT net> <731070 DOT 50337 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com>
MIME-Version:	1.0
In-Reply-To:	<731070.50337.qm@web34701.mail.mud.yahoo.com>
User-Agent:	Mutt/1.5.16 (2007-06-09)
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com