Bug 3428 - chroot root 755] I wish there was an option to lower the chroot security. CVE-2009-2904
Summary: chroot root 755] I wish there was an option to lower the chroot security. CVE...
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sftp-server (show other bugs)
Version: 8.9p1
Hardware: amd64 Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-29 20:59 AEST by xeno
Modified: 2022-10-04 21:58 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description xeno 2022-04-29 20:59:41 AEST 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
https://github.com/openssh/openssh-portable/blob/master/session.c#L1336

The directory to be chrooted must be root 755.
It is inconvenient as it is forced without a way to solve it as an option.
The CVE content says that you can do something with a combination of hardlink and setuid,
Isn't this a problem related to openssh that occurs when another account executes?
I would like to take this vulnerability and make it impossible to detect the existence of other accounts when logged in.
Please make it an option.
thank you.

if(!options->unsecure_chroot_directory) {
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
Comment 1 Damien Miller 2022-05-02 09:58:25 AEST 
Sorry, but this has been discussed extensively in the past (e.g. this thread https://marc.info/?t=122641302700006&r=1&w=2) and we do not intend to make changes to ChrootDirectory permission requirements.

The CVE you mention occurred because Redhat ignored this and patched their sshd to relax these requirements. It never affected the version of OpenSSH that we ship.
Comment 2 Damien Miller 2022-10-04 21:58:56 AEDT 
Closing bugs from openssh-9.1 release cycle