4

I've configured SFTP on my virtual machine, because I wanted to test how can I use symlink in order to access files outside from user home directory.

I've created user:

test:x:1003:1001::/var/www/test/public:/bin/false

Ownership and premissions:

drwxr-xr-x  root root test

drwxr-xr-x test sftpusers public

Here is my sshd_config:

Subsystem sftp internal-sftp

#UsePAM no

Match group sftpusers
ChrootDirectory /var/www/%u
AuthorizedKeysFile /var/www/%u/.ssh/authorized_keys
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

After that I had to login into my SFTP account and from there I did:

sftp> symlink / /public/root

I think most of the servers which use SFTP are configured in a similar way.

So, what can be done in order to prevent symlink attack?

Mirsad
  • 10,005
  • 8
  • 33
  • 53

2 Answers2

5

The problem is that the symlink looks different in the chrooted environment and from the point of Apache/webserver view.

Unless the symlinks are necessary for the users, the obvious option is to forbid users connecting over sftp to create symlinks. You can do that using a parameter to sftp-server:

internal-sftp -P symlink
Jakuje
  • 5,229
  • 16
  • 31
  • Yes that's one way of blacklisting symlink - http://man.openbsd.org/sftp-server, but I'm not sure if this is sufficient protection in this case... – Mirsad Mar 16 '17 at 12:04
  • 1
    If the user can not create a symlink, then you should be safe against this attack vector. If the users have other way accessing the filesystem they can create the symlink different way. On the other hand, you can also set up some other access control, such as SELinux, that could prevent Apache processes browsing the `/`. – Jakuje Mar 16 '17 at 12:08
  • this does not work in openssh version 6.1 (or earlier) but does work in version 7.4 (and presumably later); i don't know which version of ssh/sftp got this feature – William Mar 15 '19 at 21:03
-1

Can someone please explain me how this could be exploited?

Champ Sam
  • 1