This is the mail archive of the
cygwin
mailing list for the Cygwin project.
RE: Finally managed to create a jailed SFTP server, but how secure?
TheO wrote on Thursday, December 04, 2008 4:48 PM::
>>> I understand why all these virtual directories are necessary at the
>>> absolute '/' root level. But here I refer to /cygdrive which is
>>> created inside the jail directory, which means in absolute path,
>>> /jail/cygdrive (/jail being the root
>> of my jail). Inside the jail, only /cygdrive is created, no other
>> virtual directories (/proc or /dev/xxx) or files are created.
>>
>> Created or not, they exist. Try it.
>>
>
> I tried it from jailed SFTP session:
>
> sftp> cd /dev
> Couldn't canonicalise: No such file or directory
> sftp> cd /proc
> Couldn't canonicalise: No such file or directory
>
> They don't exist.
You also need to try symlinks that point outside the "jail". Try
creating them both from the shell and within SFTP.
You should also check that non-interactive SFTP observes the jail
(that is specifying the file to transfer on the command line).
Frankly, there are loads of things that you would need to test and
you can never be sure you've checked all possible mechanisms. Given
that the chroot jail is really an open prison under Windows, one has
to wonder if it's worth the effort, and what you have proved if all
of your tests have passed.
The best you can say is that you are protected against inadvertent
access and (possibly) someone casually poking around.
Don't forget that even if you decide SFTP is "secure enough", you
need to consider the system as a whole. One of the problems with
Windows' security in general is the number of open ports and services
that are running. If unauthorized users are able to gain access to
the system via any other route, then any security SFTP gives you is
totally illusory. You would really need an external, aggressive
firewall to be sure that the only possible external access was via
SFTP. You can't rely on just disabling services, because I have
known them to become enabled again after installing updates (thanks
MS!)
Phil
--
This email has been scanned by Ascribe PLC using Microsoft Antigen for Exchange.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- References:
- Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?