EldoS | Feel safer!

Software components for data protection, secure storage and transfer

logging into sFTP with Putty allows naviation of entire disk

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#16860
Posted: 06/28/2011 08:24:46
by William dossett (Basic support level)
Joined: 06/10/2011
Posts: 3

When I use Putty to login in SSH mode to the sFTP server using the user and password configured in the config file, it puts me directly into the c:\windows\system32 directory (note the root in the config file is c:\sftp\in and a normal sFTP client adheres to this)

This is a security risk as the system could be damaged or otherwise compomised by a malicious user.
#16861
Posted: 06/28/2011 08:42:17
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

The exact directory where to run the command processor is configurable (yet this feature is not used in the sample server project). You can specify an alternative home directory with the use of TElShellSSHSubsystemHandler.CurrentDirectory property.
#16862
Posted: 06/28/2011 09:04:49
by Eugene Mayevski (EldoS Corp.)

The SFTP server component doesn't work with disk files and knows nothing about win32. It's your code (in the sample it's sample's code) that performs actual access to files so you can control access the way you need.

Also you should notice that the default handler doesn't impersonate logged user, i.e. the user has the same permissions that the server software has. ImpersonateUser Windows API function can be called upon user login to change permissions.


Sincerely yours
Eugene Mayevski
#16864
Posted: 06/28/2011 11:11:46
by Mike Wood (Priority Standard support level)
Joined: 06/28/2011
Posts: 1

Quote
It's your code (in the sample it's sample's code) that performs actual access to files so you can control access the way you need.


You mention it's in the sample code, could you point to the code that does this please?

Thanks

Mike
#16868
Posted: 06/28/2011 12:47:56
by Ken Ivanov (EldoS Corp.)

Could you please clarify whether you are asking about SSH or SFTP access to files?
#16870
Posted: 06/28/2011 13:10:51
by William dossett (Basic support level)
Joined: 06/10/2011
Posts: 3

Putty is a remote login client that utilises SSH. It is SSH. When we use Putty to connect to the server it allows us acess and ignores the root directory in the server configuration. It allows the Putty user full access to the disk files.
#16872
Posted: 06/28/2011 13:48:17
by Eugene Mayevski (EldoS Corp.)

By Putty people sometimes refer to SSH client and sometimes to it's SFTP counterpart. In case of shell access (this is what SSH itself provides, not talking about SFTP) the only way to control / prevent access to unneeded folders is to impersonate the logged in user and restrict his account's access. Impersonation can be done in event handlers: either in OnAuth{method}() or in OnBeforeSession*() . You need to have user's name and password as known by Windows to perform impersonation.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1671 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!