X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 3 Dec 2008 13:02:26 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
Message-ID: <20081203120226.GA15221@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <961872 DOT 64997 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com> <493568B8 DOT 3010308 AT cygwin DOT com> <49376 DOT 99112 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com> <20081202231141 DOT GA5449 AT ednor DOT casa DOT cgf DOT cx> <451120 DOT 45664 DOT qm AT web34703 DOT mail DOT mud DOT yahoo DOT com> <4935DD4B DOT 7050907 AT cygwin DOT com> <690548 DOT 2534 DOT qm AT web34702 DOT mail DOT mud DOT yahoo DOT com> <af075b00812030245m2b64cae2q4601c63424da611 AT mail DOT gmail DOT com> <49366705 DOT 5D2D6371 AT dessent DOT net> <af075b00812030338m3708cadv40a62bdde5a2340d AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <af075b00812030338m3708cadv40a62bdde5a2340d@mail.gmail.com>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Dec  3 11:38, Julio Emanuel wrote:
> On Wed, Dec 3, 2008 at 11:01 AM, Brian Dessent <brian AT dessent DOT net> wrote:
> > Julio Emanuel wrote:
> >
> >> 4) Only commands compiled for Cygwin, AND accessing the file system
> >> exclusively through the Cygwin POSIX interfaces can (and will) obey
> >> the chroot settings;
> >
> > This is not valid reasoning, as Eric Blake already pointed out you can
> > still access files outside of a chroot even if you're still going
> > through the Cygwin DLL by using Win32 style pathnames since Cygwin
> > passes those through untouched.
> 
> Aha! So this is the tiny bit that was missing! What you are saying is
> that the Cygwin DLL does not honor the chroot if the path is in WIN32
> format? But why is that? It shouldn't honor the chroot all the time?
> I mean, this sounds like the "right thing to do"(tm), if Cygwin is
> supposed to fully support chroot environments...

The final, definitive answer which I already gave last month, and
also already years ago.  It's all in the archives.

It's *impossible* for any kind of Windows user space environment, be it
called Cygwin or whatever, to restrict applications to a chroot jail.

The reason is that the underlying OS, Windows, does not support this
concept.  We can restrict application using the Cygwin open call to the
jail, but every application is free to call the Win32 call CreateFile or
the native NT call NtOpenFile directly, thus circumventing any effort
made in the Cygwin DLL easily.

So, that's it.

Chroot looks interesting on the surface, but implementing it on Windows
is eventually just a hoax due to missing OS support.  Don't use it.  It
provides a false sense of security.

Actually it's one of my Cygwin inventions I'd rather forget about.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/