Mail Archives: cygwin/2008/11/19/08:38:37

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2008/11/19/08:38:37

X-Recipient: archive-cygwin AT delorie DOT com

X-Spam-Check-By: sourceware.org

X-YMail-OSG: 3eBHK6MVM1mEG.8WkVszg8veluf93qYILu50XSETTjIzmT0l7s3JNo3jK_0Z7K803Io3PD3.O.s2.0tq5boJwLCWe7CgOPwfS.fy9n5Lj1i6dKetIsxyqjJZECiMez2Jb_Ru8U2CvNfYakHo8BG8q53MgSUeY1V5bB5rWUhM

X-Mailer: YahooMailWebService/0.7.260.1

Date: Wed, 19 Nov 2008 05:37:45 -0800 (PST)

From: TheO <idgajelas AT yahoo DOT com>

Reply-To: idgajelas AT yahoo DOT com

Subject: Re: SFTP doesn't work with ChrootDirectory option set

To: cygwin AT cygwin DOT com

In-Reply-To: <49222995.5030609@byu.net>

MIME-Version: 1.0

Message-ID: <916107.19573.qm@web34701.mail.mud.yahoo.com>

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Hi Corina,

I agree with you on the fact that it's difficult to have full protection from Cygwin for ssh login.

But my main concern is SFTP. What can a user do with SFTP if he is jailed in Cygwin? He can only see, upload, download files in the allowed directories using SFTP and can't execute anything. So in my opinion the risk is very low to enable jailed SFTP in Cygwin.

The strange fact is that, Cygwin does allow jailed SSH but not jailed SFTP. Shouldn't it be the other way around if security is a big concern?


------------ Corinna Vinschen wrote: --------------------

Cygwin, being just another application layer, requires OS support for
certain functionality.  chroot is one of them.  chrooting isn't
supported by Windows.  All Cygwin is doing is to fake chroot for Cygwin
applications, as long as they are playing nice and only use POSIX
functions for file access.  As soon as they use Win32 functions, the
fake is uncovered.

Bottom line, you don't get any additional security by using chroot on
Cygwin.  You're just adding complexity to your setup.  Most of the time
you can use other measures to restrict the user anyway.



      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
X-YMail-OSG:	3eBHK6MVM1mEG.8WkVszg8veluf93qYILu50XSETTjIzmT0l7s3JNo3jK_0Z7K803Io3PD3.O.s2.0tq5boJwLCWe7CgOPwfS.fy9n5Lj1i6dKetIsxyqjJZECiMez2Jb_Ru8U2CvNfYakHo8BG8q53MgSUeY1V5bB5rWUhM
X-Mailer:	YahooMailWebService/0.7.260.1
Date:	Wed, 19 Nov 2008 05:37:45 -0800 (PST)
From:	TheO <idgajelas AT yahoo DOT com>
Reply-To:	idgajelas AT yahoo DOT com
Subject:	Re: SFTP doesn't work with ChrootDirectory option set
To:	cygwin AT cygwin DOT com
In-Reply-To:	<49222995.5030609@byu.net>
MIME-Version:	1.0
Message-ID:	<916107.19573.qm@web34701.mail.mud.yahoo.com>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com