sshd executes ~/.ssh/sshrc without using user's shell

[Andrew Bartlett]

Markus Friedl wrote:
> 
> On Wed, Mar 21, 2001 at 06:29:56PM +1100, Andrew Bartlett wrote:
> > Markus Friedl wrote:
> > >
> > > On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote:
> > > > I am considering allowing (relitivly) untrusted local users onto my
> > > > fileserver, so they can use SFTP to access their home directories.
> > > >
> > > > I have a custom shell, (a taint-mode enabled perl script) that allows
> > > > users to change their password, which I have modifed to only allow a
> > > > '-c' command for the sftp-server.
> > > >
> > > > I have also disabled TCP port forwarding.  However, some reading of the
> > > > OpenSSH code suggests that, while most commands sshd excutes use the
> > > > users login shell, the popen call for .ssh/sshrc does not.
> > > > (session.c:1342 and there-abouts).
> > > >
> > > > Is this an issue?
> > >
> > > yes. in the future, subsystems will probably ignore this file.
> >
> > Thats good for the subsystems, but as far as I can tell a user with a
> > restricted shell can still execute arbitary commands, just by not
> > requesting a subsystem.  Its the arbitary commands buisness that bothers
> > me.
> 
> yes, we need a way to restrict groups of users to certain subsystems.
> 

In the mean-time does the following patch (compiled, but not tested)
look sensible?  The idea is that the user's shell is used to execute the
sh used to run ~/.ssh/rc, giving the power back to the sys-admin as to
what the user can execute.

Thanks for your time,
Andrew Bartlett

-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
--- session.orig	Fri Mar  9 18:51:12 2001
+++ session.c	Sun Mar 11 21:13:39 2001
@@ -1332,9 +1337,10 @@
 	if (!options.use_login) {
 		if (stat(_PATH_SSH_USER_RC, &st) >= 0) {
 			if (debug_flag)
-				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC);
+				fprintf(stderr, "Running %s -c \"%s %s\"\n", shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
 
-			f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w");
+			snprintf(buf, sizeof buf, "%s -c \"%s %s\"", shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
+			f = popen(buf, "w");
 			if (f) {
 				if (auth_proto != NULL && auth_data != NULL)
 					fprintf(f, "%s %s\n", auth_proto, auth_data);