Using /bin/sh to exec subsystems [PATCH]

Andrew Bartlett abartlet at pcug.org.au
Sat May 26 12:36:35 EST 2001 

Patrick Higgins wrote:
> 
> That's clever. I guess my only reservation about that sort of thing is I
> prefer my security-critical code to be peer-reviewed, not something I
> cook up myself. That's why I'd like to see the solution be a direct part
> of OpenSSH (where I know it will be audited).
> 
> Your solution is very flexible, though. Perhaps we could put your script
> (or a similar one) in the contrib directory so that everyone can at
> least start with a well-written restricted shell, and hope that the
> customization process doesn't ruin it?
> 
> -Pat
> 
> > The way I have set it up is a simple taint-mode enabled perl script, it
> > checks for command options, and if it is a permitted program
> > (sftp-server) then the server is run (hardcoded path).  If we get
> > another subsystem, I just add an elsif.  If they specify nothing, they
> > get a password change prompt (the inital reason for the script).
> >
> > Andrew Bartlett

Attached.  Freely redistribute.

-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
#!/usr/bin/perl -Tw
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my %args;
use strict;
use Getopt::Std;
# -c ARG, sets $opt_c
getopts("c:", \%args);
if (defined $args{'c'}) {
	if ($args{'c'} eq '/usr/libexec/openssh/sftp-server') {
		exec('/usr/libexec/openssh/sftp-server');
	} else {
		exit 1;
	};
};

my @passwd = getpwuid($>);

my $home = $passwd[7];

my $maildir = $home.'/Maildir';

if (!(-d $maildir)) {
	(system('/usr/bin/maildirmake',$maildir) == 0) or die "Could not add maildir";
}

my ($passout);
print "\n";
print "UNAUTHORISED ACCESS TO THIS SYSTEM IS PROHIBITED\n";
print "================================================\n\n";
print "Basic RULES:\n";
print "  Do not share your password or account with anybody.\n";
print "  Do not login to the server from more than one computer at a time\n";
print "  Keep your account within its quota\n";
print "\n";  	
print "Do you agree with these rules and the conditions of use,\n as stated on the website (http://jessie)?\n\n";
print "Type 'yes' to agree, 'no' to quit: ";
if (<> =~ /^yes$/i) { 
	print "\n\n Initiating PASSWORD CHANGE\n  (Your UNIX password is the one you just logged in with)\n\n";
	$passout = system('/usr/bin/passwd');
	if ($passout == 0) {
		print "\n\n\n PASSWORD CHANGED \n\n";
	};
};

More information about the openssh-unix-dev mailing list