[Bug 2283] New: option to execute command without shell
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Oct 2 11:02:36 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2283
Bug ID: 2283
Summary: option to execute command without shell
Product: Portable OpenSSH
Version: 6.6p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: pabs3 at bonedaddy.net
ssh has always been confusing when it comes to quoting because it runs
commands on the remote side with the system shell. It would be nice if
there were a mode where commands could be run using fork()+exec() or
similar, without invoking the shell. This would help avoid quoting
confusion, shell metacharacter attacks and things like shellshock.
This appears to require a protocol extension to work since RFC 4254
specifies just a string to be passed with exec:
https://tools.ietf.org/html/rfc4254#section-6.5
There could be:
A client-side option to turn it on.
A server-side option (sshd_config, authorized_keys) to allow it.
A server-side option (sshd_config, authorized_keys) to disallow
in-shell commands and interactive shells.
A way to pass the original command requested by the user to the forced
command that uses NUL characters to separate arguments instead of
spaces. Maybe ORIGINAL_SSH_COMMAND_N environment variables would be the
way to do it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list