Re: scp -t . - possible idea for additional parameter?
Chris Rapier
rapier at psc.edu
Thu Oct 11 02:32:17 EST 2007
Just as a note:
http://kerneltrap.org/Linux/Abusing_chroot
This isn't to say that chroot jails aren't useful. Only that they aren't
a fix all. Further exploration of other methodologies seems like it
would be an overall benefit to the community.
Jefferson Ogata wrote:
> On 10/10/07 16:00, Larry Becke wrote:
>> Why should *everyone else in the world* have to go through all the hassle of trying to make a "secure" product secure, when a very simple fix, would effectively lock scp so that it couldn't go anywhere above the directory specified in the startup with the -T (like -t) parameter.
>
> 1. Why do you think this change provides effective security?
>
> 2. Have you ever tried to implement something like this, dealing with
> symbolic links, bind mounts, etc.?
>
> If you want to confine users effectively, chroot them.
>
More information about the openssh-unix-dev
mailing list