This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Finally managed to create a jailed SFTP server, but how secure?
- From: TheO <idgajelas at yahoo dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 5 Dec 2008 11:01:00 -0800 (PST)
- Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
>
> You also need to try symlinks that point outside the "jail". Try
> creating them both from the shell and within SFTP.
>
Just got back from my Christmas shopping and now back to work :)
I don't know how to create a symlink from inside SFTP so I did it only from
Console. I have created two files; foo and bar. foo is a link to a file outside
the jail /foo (absolute root), while bar is an ordinary file.
sftp> ls -al
drwxr-xr-x 2 root root 0 Dec 5 15:52 .
drwxr-xr-x 3 root root 0 Dec 4 16:22 ..
-rw-r--r-- 1 root root 34 Dec 5 15:52 bar
lrwxrwxrwx 1 root root 4 Dec 5 15:49 foo
sftp> get foo
Fetching /home/Administrator/foo to foo
Couldn't stat remote file: No such file or directory
sftp> get bar
Fetching /home/Administrator/bar to bar
/home/Administrator/bar 100% 34 0.0KB/s 00:01
As expected user can't gain access outside his jail. But even if it had worked,
I wouldn't have created a such "facility" purposedly myself.
>
> Don't forget that even if you decide SFTP is "secure enough", you
> need to consider the system as a whole. One of the problems with
> Windows' security in general is the number of open ports and services
> that are running. If unauthorized users are able to gain access to
> the system via any other route, then any security SFTP gives you is
> totally illusory. You would really need an external, aggressive
> firewall to be sure that the only possible external access was via
> SFTP. You can't rely on just disabling services, because I have
> known them to become enabled again after installing updates (thanks
> MS!)
>
Yes, I agree totally. We always put publicly accessible systems behind firewall.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/