Re: ftp-server patch - restrict user to directory
This is a discussion on Re: ftp-server patch - restrict user to directory within the OpenSSH Development forums, part of the Networking and Network Related category; On 2007-11-11 23:29, Alain Williams wrote: > /* It is possible, if unlikely, that the restricted directory will ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-11-2007
|
|||
|
|||
Re: ftp-server patch - restrict user to directory
On 2007-11-11 23:29, Alain Williams wrote:
> /* It is possible, if unlikely, that the restricted directory will have been specified with > * a symlink or .. in it. That will totally blow comparisions in allowed_access(). Resolve this. > */ The likelihood that the restricted directory path will contain a symlink or .. is completely unknown to your patch. In some organizations, the likelihood may be as high as 1. realpath() requires readability on all parent directories, which is also not guaranteed. You could get closer to your desired behavior by doing a stat on the restricted directory, then iteratively calling stat(2) the directory containing the resolved name and checking for identity (device+inode) with the restricted directory, working your way back directory components until either identity is found (allow) or the resolved path is empty (disallow). This emulates what realpath(3) does without having to generate the actual return path, and works because you can stat(2) a directory you can traverse but not read. -- Jefferson Ogata <Jefferson.Ogata@noaa.gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov> "Never try to retrieve anything from a bear."--National Park Service _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/li...enssh-unix-dev 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 07:25 PM.
