Finally managed to create a jailed SFTP server, but how secure?

Albert van der Velde Albertvander.Velde@infor.com
Wed Dec 3 07:44:00 GMT 2008


Hello, 

I followed this discussion, but does an ftp server exist with a
possibility to lock a user in its home directory preventing him to get
out of this "jail". 

As I see this discussion I suppose that this is not possible. Seems that
someone needs to add this code to an ftp server. 

Kind regards,

Albert

-----Original Message-----
From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On Behalf
Of Larry Hall (Cygwin)
Sent: dinsdag 2 december 2008 17:56
To: cygwin@cygwin.com
Subject: Re: Finally managed to create a jailed SFTP server, but how
secure?

TheO wrote:
> 
>> If you're happy with the results, that's fine.  However, you asked
how
>> secure SFTP was.  The answer is as I've said.  Cygwin is not the O/S.
>> It cannot enforce restrictions on the O/S.  Only the O/S can restrict
>> or grant access to users.
>>
> 
> Thanks Larry,
> 
> The reason why Cygwin is ideal for me to provide SFTP service is that
it
> provides a free SFTP solution for Windows platform. My programmers
come
> from Windows world, they are more familiar with .NET than Unix but
sometimes,
> they are required to build a system featuring an SFTP server where our
user
> can upload his files to be processed by our .NET application and
finally,
> he download the response files from SFTP. Cygwin makes this possible
in an
> economic way.

I understand.  If SFTP under Cygwin fits your needs and you can live
with the risks, then you should continue using it.  I certainly don't
understand your application or its requirements for communication but
given your description above, it seems to me that 'scp' would serve your
purpose and wouldn't rely on a limited 'chroot' capabilities.  But I'm
assuming you've already thought of that and have ruled it out for your
own reasons.

>> I have not attempted to set up a jailed SFTP environment on Cygwin.
It
>> may be that what you've done hems the user into the area you want
when
>> he/she is using Cygwin tools.  However, this does not restrict the
user
>> with Windows native tools.  If he/she is able to leverage those
inside
>> the jail, then the user has the keys he/she wants to get out.
>>
> 
> He might be able to upload "nasty" tools but What else could he
possibly do 
> if he has access to only a restricted SFTP subsystem? 

Good question.  A better one is are you willing to accept the risk?  I
also
want to once again point out that "a restricted FTP subsystem" does not
have all the same restrictions as it would in a UNIX/Linux environment.
Only you can decide whether this difference is something you can live
with.  But in terms of security, Cygwin's SFTP is not as secure as
UNIX/Linux versions with the full O/S support for 'chroot'.  I'm not
trying to talk you out of anything.  I'm just answering your original
question and providing you with the facts.  It's up to you how you want
to apply them to your situation.

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list