[PATCH] Re: restricted shell

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 30 23:42:08 EST 2001 

Markus Friedl wrote:
> 
> On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote:
> > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote:
> > > it's easier if the sftp-server does chroot.
> >
> > But then scp would also have to do the same thing if we are allowing both.
> > It would seem easier to be to leave sftp-server and scp as they are and
> > centralize the chroot and other related local security measures in the
> > restricted shell, no?
> 
> no :)
> 
> if sshd chroots, you need to copy the (static?) sftp-server
> to every home-dir. this is no fun on solaris, just
> look at the mess ssh-chrootmgr(1) creates.
> 
> > > additionally you have to disallow writing of $HOME,
> > > restrict sftp to subdirs only. otherwise the user
> > > can modify .ssh or .forward...
> >
> > I would leave this as an administrator option since I can imagine scenarios
> > where both of those actions might be desirable.
> 
> yes, but they are usually not aware of this.
> 
> -m

What about just adding realpath() checks to all the paths used in sftp? 
Not as secure as a chroot setup I agree, but I would have thought it
might just be simple enough to work without yet another set-uid binary. 
(One of the reason's I deployed sftp at my site was that it did not
require a root-run process/set-uid root program to do any of the work).

Also, while we are looking at restricted shells, adding this patch might
be worth it (if its not added already, I never got confirmation - and
havn't been following OpenSSH as much recently.  (Then again, I can't
find a record I sent it either...).  I'm also not sure how much testing
it got.

Andrew Bartlett

-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
--- openssh-2.5.1p1/session.orig	Fri Mar  9 18:51:12 2001
+++ openssh-2.5.1p1/session.c	Fri Mar  9 22:43:54 2001
@@ -1332,9 +1333,10 @@
 	if (!options.use_login) {
 		if (stat(_PATH_SSH_USER_RC, &st) >= 0) {
 			if (debug_flag)
-				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC);
+				fprintf(stderr, "Running %s -c \"%s %s\"\n", shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
 
-			f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w");
+			snprintf(buf, sizeof buf, "%s -c \"%s %s\"", shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
+			f = popen(buf, "w");
 			if (f) {
 				if (auth_proto != NULL && auth_data != NULL)
 					fprintf(f, "%s %s\n", auth_proto, auth_data);

More information about the openssh-unix-dev mailing list