Bug 3428

Summary: chroot root 755] I wish there was an option to lower the chroot security. CVE-2009-2904
Product: Portable OpenSSH Reporter: xeno <shj>
Component: sftp-serverAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.9p1   
Hardware: amd64   
OS: Linux   

Description xeno 2022-04-29 20:59:41 AEST 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
https://github.com/openssh/openssh-portable/blob/master/session.c#L1336

The directory to be chrooted must be root 755.
It is inconvenient as it is forced without a way to solve it as an option.
The CVE content says that you can do something with a combination of hardlink and setuid,
Isn't this a problem related to openssh that occurs when another account executes?
I would like to take this vulnerability and make it impossible to detect the existence of other accounts when logged in.
Please make it an option.
thank you.

if(!options->unsecure_chroot_directory) {
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
Comment 1 Damien Miller 2022-05-02 09:58:25 AEST 
Sorry, but this has been discussed extensively in the past (e.g. this thread https://marc.info/?t=122641302700006&r=1&w=2) and we do not intend to make changes to ChrootDirectory permission requirements.

The CVE you mention occurred because Redhat ignored this and patched their sshd to relax these requirements. It never affected the version of OpenSSH that we ship.
Comment 2 Damien Miller 2022-10-04 21:58:56 AEDT 
Closing bugs from openssh-9.1 release cycle