X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
References: <664060 DOT 6380 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com> <49341625 DOT 2090804 AT cygwin DOT com>
Date: Mon, 1 Dec 2008 11:13:50 -0800 (PST)
From: TheO <idgajelas AT yahoo DOT com>
Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <933558.98400.qm@web34705.mail.mud.yahoo.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

> 
> Security from the standpoint of access to the remote file system and
> processes come from the security measures put in place under Windows
> on the remote system.  SFTP under Cygwin will not provide this.  It
> only provids encrypted transport.
> 

According to my observation, regardless of his authentication (public key or password), he can only see a limited number of directories within the jail environment. The only directory which is virtually added by Cygwin during his login, and therefore beyond my control, is /cygdrive. Luckily enough for me, it is empty so in my opinion the user can't traverse my harddisk.

I did some simple tests to break out my jail. From my SFTP session, I tried to do the following:

  sftp> cd /cygdrive
  sftp> cd c
  Couldn't canonicalise: No such file or directory
  sftp> mkdir c
  Couldn't create directory: No such file or directory

which is good.

But maybe my simple tests are not enough. Maybe there are some special file names which are not mapped to any directory or file but are interpreted internally by Cygwin to designate some directories outside the jail.

Thanks again.



      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/