Re: scp -t . - possible idea for additional parameter‏

Jefferson Ogata Jefferson.Ogata at noaa.gov
Thu Oct 11 02:07:58 EST 2007


On 10/10/07 16:00, Larry Becke wrote:
> Why should *everyone else in the world* have to go through all the hassle of trying to make a "secure" product secure, when a very simple fix, would effectively lock scp so that it couldn't go anywhere above the directory specified in the startup with the -T (like -t) parameter.

1. Why do you think this change provides effective security?

2. Have you ever tried to implement something like this, dealing with
symbolic links, bind mounts, etc.?

If you want to confine users effectively, chroot them.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service


More information about the openssh-unix-dev mailing list