ssh-dummy-shell

[Dan Astoorian]

On Sat, 24 Nov 2001 06:42:52 EST, Markus Friedl writes:
> > 
> > One must be careful: if $HOME/.ssh is writable or can be made so,
> > $HOME/.ssh/environment is an attack vector.
> 
> yes, i metioned this before.

If I were to submit a simple patch for sftp-server that would cause it
to exit with an error if get_progname(pw->pw_shell) matched
get_progname(argv[0]) AND either pw->pw_dir or (pw->pw_dir)/.ssh was
writable by the user, would such a patch be likely to be accepted?

This would not prevent $LD_PRELOAD from being honoured from
$HOME/.ssh/environment, but it would make it more difficult for the user
to upload the files needed to exploit such a setup; more importantly, it
would make the misconfiguration more visible to the administrator.

I'm presuming that pw->pw_shell and argv[0] having the same basename is
a pretty unambiguous indication that the sysadmin intended the account
to be sftp-only.  It would not cover the case where sftp-server was
being run by a wrapper script like ssh-dummy-shell, however: I can't
think of a simple or reliable way to detect that.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican