scp -t - revisited.....

Alain Williams addw at phcomp.co.uk
Sat Dec 8 05:45:22 EST 2007 

On Fri, Dec 07, 2007 at 09:24:07AM +0100, Peter Stuge wrote:
> On Thu, Dec 06, 2007 at 09:04:45PM -0600, Larry Becke wrote:
> > *My apologies for mangling this, as I'm not a subscriber, and peter
> > doesn't deign to reply to me as well as the list*
> 
> Ah, you mentioned that you weren't subscribed back in the first
> thread? Sorry, I forgot all about that.
> 
> 
> >> What happens if you (within the scp protocol, not in the shell)
> >> specify e.g. a new directory ../../../../../../../tmp/breakout ?
> >> I would assume that /tmp/breakout is created.
> 
> ..
> 
> > Using scp as you showed, would not do anything to this method.
> ..
> > what really happens, as near as I've been able to figure out with
> > the information that J.P. sent me, is that the client (or local)
> > system executes the following.
> >  
> > ssh -i key_file {remotehost} scp -d -t ../../../../../../../../../../../tmp/breakout
> 
> ..
> 
> > The ssh key in question, is configured on the server to only run
> > "scp -t /server/selected/path"
> >  
> > This overrides the command that was sent by the scp client, and
> > replaces it with what we want to happen.
> 
> Right. Which is why I was careful to point out that specifying the
> tmp path in the shell (such as in the example above) will not
> expose the problem.
> 
> 
> > Now, if the scp protocol can be exploited some how beyond the open
> > file / send contents, then we may have a problem - but that would
> > be the case with scp in general.
> 
> Spot on. scp is not designed to confine a user to a given directory.
> This is why you got a couple of different suggestions on how to solve
> the problem in the first place.

About a month ago I submitted a patch to sftp-server to this list that
does exactly that -- against openssh-4.7p1

See:

	ftp://files.phcomp.co.uk/files/files/sftp-server.patch

(Will be there for a month)

-- 
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>

More information about the openssh-unix-dev mailing list