Re: Finally managed to create a jailed SFTP server, but how secure?

TheO wrote:
> 
>> If you're happy with the results, that's fine.  However, you asked how
>> secure SFTP was.  The answer is as I've said.  Cygwin is not the O/S.
>> It cannot enforce restrictions on the O/S.  Only the O/S can restrict
>> or grant access to users.
>>
> 
> Thanks Larry,
> 
> The reason why Cygwin is ideal for me to provide SFTP service is that it
> provides a free SFTP solution for Windows platform. My programmers come
> from Windows world, they are more familiar with .NET than Unix but sometimes,
> they are required to build a system featuring an SFTP server where our user
> can upload his files to be processed by our .NET application and finally,
> he download the response files from SFTP. Cygwin makes this possible in an
> economic way.

I understand.  If SFTP under Cygwin fits your needs and you can live
with the risks, then you should continue using it.  I certainly don't
understand your application or its requirements for communication but
given your description above, it seems to me that 'scp' would serve your
purpose and wouldn't rely on a limited 'chroot' capabilities.  But I'm
assuming you've already thought of that and have ruled it out for your
own reasons.

>> I have not attempted to set up a jailed SFTP environment on Cygwin.  It
>> may be that what you've done hems the user into the area you want when
>> he/she is using Cygwin tools.  However, this does not restrict the user
>> with Windows native tools.  If he/she is able to leverage those inside

Re: "watch" option processing broken

"Daniel B." wrote:

>     Similarly, if you try "watch --interval=xx echo", you get no report
>     that "xx" is not a valid number, or is not a valid interval value.  It
>     seems that option-parsing messages aren't getting printed out.

I get the usage summary displayed as a result of that command, which is
the normal behavior when an option can't be parsed.

>     Apparently, the -d option code thinks -d takes an argument (taking the "ls"
>     as that argument, leaving only "dir" as the apparent command to run(.

Yes, it seems there is a getopt issue.  But you can work around it by
using the long form: "watch --differences echo" works OK.

Brian

Re: Finally managed to create a jailed SFTP server, but how secure?

According to TheO on 12/1/2008 12:13 PM:
> I did some simple tests to break out my jail. From my SFTP session, I tried to do the following:
> 
>   sftp> cd /cygdrive
>   sftp> cd c
>   Couldn't canonicalise: No such file or directory

Did you verify whether DOS paths, such as c:\, were also blocked?

> But maybe my simple tests are not enough. Maybe there are some special file names which are not mapped to any
directory or file but are interpreted internally by Cygwin to designate some directories outside the jail.

To repeat what we have already told you multiple times: cygwin does NOT
enforce the jail.  And without OS support to do so, we are not in a
position to state that your jail is secure; so with security in mind, you
must consider the SFTP connection, even in its chroot jail, to be only as
secure as the restricted rights that you are able to enforce on the
Windows user id in use when you make the SFTP connection.

--
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9 <at> byu.net

Re: NT-Authority/System will be file owner after rsync restore

Larry Hall (Cygwin) wrote:
> 
> Could be.  I don't know much about rsync.  However, if that is the
> uid/gid, it maps to -1 (don't know why it's represented as a 32-bit value
> though.) Anyway, if you and I are right, then my WAG is that your
> '/etc/passwd' and/or '/etc/group' file(s) are wrong.
> See <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-ids> for more
> details on Cygwin special IDs.
> 
Thanks Larry,

One step to the goal 

I lost my /etc/passwd and /etc/group. Do not know why 
I create new ones with:
bin>mkpasswd -l > /etc/passwd
bin>mkpasswd -g > /etc/group

create a new file /etc/test.txt
bin>ls -alh /etc/test.txt
bin>-rwx------+ 1 meyer Kein 0 Dec  1 23:01 /etc/test.txt

Than I run a backup:
After that my backup-protocol shows:
  create   644    18/544           0 etc/Test.txt

But 18/544 is SYSTEM:Administratoren
as /etc/passwd -> SYSTEM:*:18:544:,S-1-5-18::
and /etc/group -> Administratoren:S-1-5-32-544:544:
shows.

Executable File Violation

You attempted to send a message that contained an executable file.  The sending of executable files via
email is prohibited.  The message was not delivered.

For more assistance contact spam-support <at> infosec.fedex.com.

Some parts of this message were removed because they violated your mail server's policies.

trackingmail <at> fedex.com.zip was removed from the message because it violates your mail server's policy.

Re: Finally managed to create a jailed SFTP server, but how secure?

On 12/01/2008, TheO wrote:
> According to my observation, regardless of his authentication (public key 
> or password), he can only see a limited number of directories within the 
> jail environment. The only directory which is virtually added by Cygwin 
> during his login, and therefore beyond my control, is /cygdrive. Luckily 
> enough for me, it is empty so in my opinion the user can't traverse my 
> harddisk.

If you're happy with the results, that's fine.  However, you asked how
secure SFTP was.  The answer is as I've said.  Cygwin is not the O/S.
It cannot enforce restrictions on the O/S.  Only the O/S can restrict
or grant access to users.

I have not attempted to set up a jailed SFTP environment on Cygwin.  It
may be that what you've done hems the user into the area you want when
he/she is using Cygwin tools.  However, this does not restrict the user
with Windows native tools.  If he/she is able to leverage those inside
the jail, then the user has the keys he/she wants to get out.

--

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.

Re: Help needed: first time tried sshd and got stuck not far from the beginning...

Thanks Larry,
Although I am not 100% certain, it may very well be it's one of the nasty
case of BLODA.
Looking at the list, I got at least 3 of those applications running at the
background...
Will continue to spend more time to figure it out.

Regards,
Steve

Larry Hall (Cygwin) wrote:
> 
> stevench2000 wrote:
>> Thanks to both of you for the tips.
>> After adding the -ddd option in invoking sshd in the ssh-host-config, I
>> was
>> able to see this error message from the log:
>> 
>>      17 [main] sshd 42180 child_copy: linked dll data write copy failed,
>> 0x24500
>> 0..0x2452E0, done 0, windows pid 42200, Win32 error 487
>> 
>> Does this look familiar?
> 
> Yes.
> 
>> Do you have any suggestions?
> 
> Yes, two.

pthread_rwlock_rdlock() returns EDEADLK when trying to call it > once

Possible bug in winsup/cygwin/thread.cc:
...
int
pthread_rwlock::rdlock ()
{
  int result = 0;
  struct RWLOCK_READER *reader;
  pthread_t self = pthread::self ();

  mtx.lock ();

  if (lookup_reader (self))
    {
      result = EDEADLK;
      goto DONE;
    }
...

It doesn't seem like it's possible for a thread to call
pthread_rwlock_rdlock() multiple times, and if a thread does, it will get
a EDEADLK error.

http://opengroup.org/onlinepubs/007908799/xsh/pthread_rwlock_rdlock.html:
	...
	A thread may hold multiple concurrent read locks on rwlock (that is,
	successfully call the pthread_rwlock_rdlock() function n times).
	...
	[EDEADLK]
	    The current thread already owns the read-write lock for writing.
	...

Avoid duplicate names in /proc/registry (which may crash find) ?

When dirent.d_type support is added to /proc/registry (see attachment), 
find 4.4.0-3 crashes on keys with duplicate names.

Testcases:

$ find-with-d_type \
/proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/ALG/ISV

$ find-with-d_type \
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/Eventlog/Security

These keys contain a key and a value with the same name and readdir() 
returns both (with different d_type).

Possible fix to avoid identical names:

1. Put keys and values in different namespaces, e.g.

/proc/registry/path/name.key
/proc/registry/path/name.val

Drawback: Breaks backward compatibility.

or:

2. In readdir(), record the key names in some set<> or hash-table. If 
(and only if) a duplicate name is detected, return a modified name for 
the value:

/proc/registry/path/name

Re: Help needed: first time tried sshd and got stuck not far from the beginning...

Thanks to both of you for the tips.
After adding the -ddd option in invoking sshd in the ssh-host-config, I was
able to see this error message from the log:

     17 [main] sshd 42180 child_copy: linked dll data write copy failed,
0x24500
0..0x2452E0, done 0, windows pid 42200, Win32 error 487

Does this look familiar?
Do you have any suggestions?

Regards,
Steve

Larry Hall (Cygwin) wrote:
> 
> On 11/29/2008, Matthias Meyer wrote:
>> Please go to your server and run "/usr/sbin/sshd -ddd -D" Maybee your 
>> ssh-server say something about the reason.
> 
> This won't work.  You'll need to set up a new service which invokes
> 'sshd' with the above debug flags and start that service instead.  See
> 'ssh-host-config' for details on setting up such a service using the
> 'cygserver' account.  If you proceed with the above advice, you may
> change the permissions on files that the service needs set for
> 'cygserver',
> effectively breaking 'sshd' when run as a service.
> 
> -- 

Problem Starting up XEmacs

Hi,

I have a strange problem starting XEmacs:

$ xemacs
*** Error in XEmacs initialization
(error "Must be string, vector, or font-instance" #<x-device on 
"127.0.0.1:0.0" 0xb17>)
*** Backtrace
   really-early-error-handler((error "Must be string, vector, or 
font-instance" #<x-device on "127.0.0.1:0.0" 0xb17>))
   check-valid-instantiator(#<x-device on "127.0.0.1:0.0" 0xb17> font)
   # bind (result noerror specifier-type spec)
   canonicalize-spec(#<x-device on "127.0.0.1:0.0" 0xb17> font nil)
   # bind (rest result)
   byte-code("..." [specifier-type res2 noerror spec-list result rest 
nil throw cann-spec-list t signal error "Invalid list format" 
canonicalize-spec] 5)
   # (catch cann-spec-list ...)
   # bind (result noerror specifier-type spec-list)
   canonicalize-spec-list((#<x-device on "127.0.0.1:0.0" 0xb17>) font)
   # bind (is-valid nval how-to-add tag-set locale value specifier)
   set-specifier(#<font-specifier global=((default x) . 
"-*-courier-medium-r-*-*-*-120-*-*-*-*-iso8859-*") fallback=((... . 
"Courier New:Regular:10::Western") (... . "Courier:Regular:10::Western") 
(... . "Fixedsys:Regular:9::Western") (... . "Courier 
New:Regular:10::Western") (... . "Courier:Regular:10::Western") (... . 
"normal") ...) 0x1c9> nil #<x-device on "127.0.0.1:0.0" 0xb17> nil nil)
   # bind (how-to-add tag-set locale value property face)
   set-face-property(default font nil #<x-device on "127.0.0.1:0.0"