ssh-dummy-shell
Dan Astoorian
djast at cs.toronto.edu
Sat Nov 24 07:16:28 EST 2001
On Fri, 23 Nov 2001 14:40:55 EST, Markus Friedl writes:
>
> there is a big difference between reading/writing files and
> having full access to a system. or what am i missing?
One must be careful: if $HOME/.ssh is writable or can be made so,
$HOME/.ssh/environment is an attack vector.
In particular, I believe it is possible to set LD_PRELOAD there to an
uploaded library, which the dynamic linker will load when running
commands on behalf of the user during subsequent SSH sessions (including
sftp-server itself); this allows arbitrary code to run.
As a quick test, I just tried setting my shell to sftp-server (or, for
that matter, /bin/false), and adding "LD_PRELOAD=/dev/null" to
$HOME/.ssh/environment; ssh'ing to an account configured in this manner
produces errors from ld.so.1, indicating that the dynamic linker is
indeed honoring this variable.
If setting the user's shell to sftp-server is to be a supported solution
for allowing file-transfer-only accounts, it's either necessary to
prominently document that $HOME should not be writable, or to modify
OpenSSH's behaviour so that LD_* and any other dangerous variables
cannot be set in $HOME/.ssh/environment.
There may be additional holes of this type; if the latter solution is
adopted, further auditing is warranted.
By the way,
http://www.snailbook.com/faq/restricted-scp.auto.html
is a good starting point with respect to the original question.
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list