[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Report a severe security vulnerability
From: Leandro neto <lemeln84 () uol ! com ! br>
Date: 2020-10-28 18:25:19
Message-ID: 5f99b78fad161_3bd72aac2838710c42310 () ip-10-81-19-67 ! ec2 ! internal ! mail
[Download RAW message or body]
<p>Report a severe security vulnerability<br />
<br />
Hi guys sorry form any inconvenience I would like to report what i am thinking a \
severe security vulnerability that affects all Debian based distros. it was on python \
3 files i am sending a link to every malign list that i am subscribed. IAM NOT \
A PROFESSIONAL. FELL FREE TO REMOTE ACCESS MY MACHINES ANYTIME. if i am wrong my \
apology. but i think on my little knowledge certain has something in there. There is \
a lot of files on the link. I am trying to upload the raw files. but every distro \
brakes. it shows 140.7 tbTB!!! yes 104000 gbt that fits on a flash drive of 32gb is \
is very difficult to me to use interment. am being hunting down. so this is my last \
try. contact only by phone number. because the monitored and listen everything \
mine. is like a movie but is true.+552122366155 +552121796156 sorry but i \
don't know to tell this to anyone. because they don't believe.</p> link with \
the photos this is the link for linux distros <a \
href="https://photos.app.goo.gl/oHRP5Z8JEoT9Q4GN9">https://photos.app.goo.gl/oHRP5Z8JEoT9Q4GN9<br \
/> <br />
link for the other systems osx windows andorid... </a><br />
<br />
<a href="https://photos.app.goo.gl/BsBCuYtVtE4VwGUC9">https://photos.app.goo.gl/BsBCuYtVtE4VwGUC9</a><br \
/>
<div><u>this is the link of the windows apple etc...<br />
<br />
best regards leandro leme neto</u></div>
<p> </p>
<hr />
<div><br />
<strong>De: </strong>"Markus Schönhaber" \
<debian-user@list-post.mks-mail.de><br /> <strong>Enviada: </strong>2020/10/28 \
14:51:42<br /> <strong>Para: </strong>debian-user@lists.debian.org<br />
<strong>Assunto: </strong> Re: Qemu 9pfs sftp chrootdirectory option issue<br />
</div>
28.10.20, 18:30 +0100 john doe:<br />
<br />
> On 10/21/2020 11:02 PM, Markus Schönhaber wrote:<br />
>> 21.10.20, 19:11 +0200, john doe:<br />
>><br />
>>> On 10/20/2020 7:59 PM, Markus Schönhaber wrote:<br />
>><br />
>>>> How about moving the 9pshare to a root-owned directory and pointing \
the<br /> >>>> ChrootDirectory there, for example:<br />
>>>> share -> /all/owned/by/root/9pshare<br />
>>>> ChrootDirectory -> /all/owned/by/root<br />
>>>><br />
>>><br />
>>> Thank you for this.<br />
>>><br />
>>> I can only do that if 'passthrough' is used, as I don't \
realy understand<br /> >>> the implecations of running qemu as root, I was \
hoping to find a way<br /> >>> with 'mapped'.<br />
>>> 'mapped' requires that the directory on the host is set to the \
group and<br /> >>> user used by qemu, 'libvirt-qemu in this case.<br />
>><br />
>> I don't see the problem with chown'ing the 9pshare directory to the \
qemu<br /> >> user in my example above.<br />
>><br />
><br />
> Okay, following your instructions I can now connect using sftp but I can<br />
> not access the content of the share:<br />
<br />
No, you seemingly didn't follow what I said.<br />
<br />
> $ ls -dl /srv/sftp/9p<br />
> drwx------ 8 root root ... /srv/sftp/9p<br />
<br />
Isn't "9p" supposed to be the share directory? If it is, why is it \
owned<br /> by root and has these restrictive permissions?<br />
<br />
Assuming<br />
ChrootDirectory -> /srv/sftp -> make this root:root, drwxr-xr-x<br />
share -> /srv/sftp/9p -> make this libvirt-qemu:libvirt-qemu, drwxr-xr-x<br />
<br />
> $ sftp sftp9p<br />
> Connected to sftp9p.<br />
> sftp> ls<br />
> remote readdir("/"): Permission denied<br />
<br />
Of course. Guessing from what you wrote above, only root can even list<br />
the directory's contents (or change into it, in the first place).<br />
<br />
--<br />
Regards<br />
mks<br />
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic