This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Finally managed to create a jailed SFTP server, but how secure?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to TheO on 12/3/2008 6:29 AM:
>> No, we mean "get c:/dir/file" or "get c:\dir\file". (or "put
>> //hostname/share/file", shudder.)
>>
>
> This is what I get:
>
> sftp> cd C:/
> Couldn't canonicalise: No such file or directory
That's with /. What about with \? The cygwin dll sometimes treats the
two separators differently, where using \ is more likely to bypass cygwin
checks.
And what about Brian's other point - if sshd has a security bug like a
buffer overrun (shudder, but possible - look at how often openssh has been
updated over the years to fix security holes as soon as someone identifies
one), then the attacker merely need exploit the buffer overrun to inject
code that calls a native Windows API. Harder to exploit? Yes. But
certainly _much_ more of a worry than whether or not you have hidden
undesirable file names from honest users.
- --
Don't work too hard, make some time for fun as well!
Eric Blake ebb9@byu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk2jBkACgkQ84KuGfSFAYAZqQCeOq4Xd19ThRoXeKNRnEmJKhRZ
mDEAoJ2UdYEHXhYBLfKWrzvuhQbWXCyN
=ttsH
-----END PGP SIGNATURE-----
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- References:
- Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- From: Larry Hall (Cygwin)
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?
- Re: Finally managed to create a jailed SFTP server, but how secure?