scp not tolerant of extraneous shell messages

Dan Kaminsky dan at doxpara.com
Wed Jul 3 04:06:54 EST 2002 

>
>
>No. I don't see the connection to macro virii.
>  
>
My apologies, I thought it was more obvious.

I open a file.  I want to read what it has to say.  I want to see its 
images, understand its material, possibly modify it myself.

I don't want it to read what *I* have to say, though.  I don't want it 
to see my images, my material, and absolutely not modify my material.

By sending a mail onto this mailing list, I inserted myself into 
hundreds, maybe thousands of file systems throughout the world.  For 
good or bad, I've been granted the capability to write to a limited 
subset of the data stores of others.  I suspect that ability would be 
revoked quite rapidly if I could execute arbitrary commands with it.

The separation between document and executable goes down to psychology 
-- that which I learn is not that which I do.  Microsoft wrote large 
portions of their "knowledge exchange system"(Word) in an executable 
language; it's why the platform is quite virus ridden now.  They're 
suffering similarly using Internet Explorer as their default viewer in 
Outlook Express.

>A lot of things work this way. As long as the shell command
>line is built securely and the shell setup (including
>/etc/profile and ~/.profile) is secure there is nothing wrong.
>  
>
Oh?

Name an FTPD that does.  Just one.

How bout a web server?  Yes, web servers do allow execution through 
shells.  That's essentially CGI, which isn't mandatory, isn't enabled by 
default, and is always kept a separate and vaguely dangerous segment of 
the system.

For good reason.

>Yes, users can shoot their feet and legs off if you let them.
>
Unfortunately, users are trying to shoot my feet and legs off.  They 
modify their .profile to run an exploit that hacks my file server and 
trojans my data.  

>Use a restricted shell if you must.
>  
>
Restricted shells have always been somewhat irrelevant; they fail in 
Windows due to excess complexity and they fail in Unix because 
everything and its mother can open subshells(lynx, vi, emacs, 
sftp-server, etc.)

>Perhaps SSHD should be configurable with respect to how sub-
>systems are started - in fact, I don't why why it shouldn't be
>so (though someone is bound to complain about code and config
>option bloat...).
>  
>
Secure by default.

>You can't detect the client's intention to run SFTP until
>after the SSHv2 connection setup, which kinda means you must
>run SSHD first.
>  
>
Well, it's obvious now that SFTP fails to live up to its first initial 
as is, so that leaves us with:

1) SFTP on a different port
2) SFTP detected during client negotiation

Incidentally, if you don't believe my conclusion about SFTP, I offer you 
the following thought experiment:  Would you rather give me access to an 
account through wu-ftpd or sftp?

There are issues, incidentally, with making it easier to define sets of 
users that are allowed to sftp in and others that can sftp and ssh in. 
 Maybe we can do something interesting with AllowGroups.

--Dan

More information about the openssh-unix-dev mailing list