sshd executes ~/.ssh/sshrc without using user's shell
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Wed Mar 21 19:03:46 EST 2001
On Wed, Mar 21, 2001 at 06:29:56PM +1100, Andrew Bartlett wrote:
> Markus Friedl wrote:
> >
> > On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote:
> > > I am considering allowing (relitivly) untrusted local users onto my
> > > fileserver, so they can use SFTP to access their home directories.
> > >
> > > I have a custom shell, (a taint-mode enabled perl script) that allows
> > > users to change their password, which I have modifed to only allow a
> > > '-c' command for the sftp-server.
> > >
> > > I have also disabled TCP port forwarding. However, some reading of the
> > > OpenSSH code suggests that, while most commands sshd excutes use the
> > > users login shell, the popen call for .ssh/sshrc does not.
> > > (session.c:1342 and there-abouts).
> > >
> > > Is this an issue?
> >
> > yes. in the future, subsystems will probably ignore this file.
>
> Thats good for the subsystems, but as far as I can tell a user with a
> restricted shell can still execute arbitary commands, just by not
> requesting a subsystem. Its the arbitary commands buisness that bothers
> me.
yes, we need a way to restrict groups of users to certain subsystems.
> >
> > > Or do I have bigger things to worry about?
> >
> > nothing that i can think of.
>
> Thats good, Thanks
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> abartlet at pcug.org.au
More information about the openssh-unix-dev
mailing list