Subsystem sftp invoked even though forced command created

MCMANUS, MICHAEL P mm1072 at att.com
Thu Jul 6 02:01:45 AEST 2023 

It appears the forced command either does not run or runs to completion and exits immediately, as there is no process named "receive.ksh" in the process tree.

The sftp-server process is an immediate child of the privilege-separation sshd process:
root        1157  0.0  0.1  94556  5804 ?        Ss   Jun07   0:00 /usr/sbin/sshd -D
root     3933778  0.0  0.2 155624  9732 ?        Ss   10:34   0:00  \_ sshd: mm1072 [priv]
mm1072   3933794  0.0  0.1 155624  5564 ?        S    10:34   0:00  |   \_ sshd: mm1072 at pts/0
mm1072   3933795  0.0  0.1  25428  5252 pts/0    Ss   10:34   0:00  |       \_ -bash
mm1072   3934980  0.0  0.1  59200  4636 pts/0    R+   10:57   0:00  |           \_ ps auwwwx --forest
root     3934958  0.1  0.2 155628 10568 ?        Ss   10:56   0:00  \_ sshd: m61586 [priv]
m61586   3934972  0.0  0.1 155628  5576 ?        S    10:56   0:00      \_ sshd: m61586 at notty
m61586   3934973  0.0  0.1  47280  5228 ?        Ss   10:56   0:00          \_ /usr/libexec/openssh/sftp-server

Mike McManus
Principal – Technology Security
GTO Security Governance Team - Unix
P: He/Him/His

AT&T Services, Inc.
20205 North Creek Pkwy, Bothell, WA 98011
michael.mcmanus at att.com  


-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com at mindrot.org> On Behalf Of Jochen Bern
Sent: Wednesday, July 5, 2023 1:52 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: Subsystem sftp invoked even though forced command created

On 05.07.23 02:50, Damien Miller wrote:
> Some possibilities:
> 1. the receive.ksh script is faulty in some way that causes it to invoke
>     sftp-server

How would the script even *know* that the client requested the SFTP 
subsystem? Is a subsystem's executable/path, supposedly internally 
overwritten with the forced command at that point, exposed through 
$SSH_ORIGINAL_COMMAND ?

(As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest" 
on the server while WinSCP has a "hacked" session open. If the 
sftp-server process turns out to be a child of the script, bingo. If 
not, the script could still be the culprit, but then we'd know that it 
must "exec" the sftp-server or somesuch, rather than calling it 
"normally" as a subprocess.)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH

More information about the openssh-unix-dev mailing list