Subsystem sftp invoked even though forced command created
MCMANUS, MICHAEL P
mm1072 at att.com
Thu Jul 6 02:01:45 AEST 2023
It appears the forced command either does not run or runs to completion and exits immediately, as there is no process named "receive.ksh" in the process tree.
The sftp-server process is an immediate child of the privilege-separation sshd process:
root 1157 0.0 0.1 94556 5804 ? Ss Jun07 0:00 /usr/sbin/sshd -D
root 3933778 0.0 0.2 155624 9732 ? Ss 10:34 0:00 \_ sshd: mm1072 [priv]
mm1072 3933794 0.0 0.1 155624 5564 ? S 10:34 0:00 | \_ sshd: mm1072 at pts/0
mm1072 3933795 0.0 0.1 25428 5252 pts/0 Ss 10:34 0:00 | \_ -bash
mm1072 3934980 0.0 0.1 59200 4636 pts/0 R+ 10:57 0:00 | \_ ps auwwwx --forest
root 3934958 0.1 0.2 155628 10568 ? Ss 10:56 0:00 \_ sshd: m61586 [priv]
m61586 3934972 0.0 0.1 155628 5576 ? S 10:56 0:00 \_ sshd: m61586 at notty
m61586 3934973 0.0 0.1 47280 5228 ? Ss 10:56 0:00 \_ /usr/libexec/openssh/sftp-server
Mike McManus
Principal – Technology Security
GTO Security Governance Team - Unix
P: He/Him/His
AT&T Services, Inc.
20205 North Creek Pkwy, Bothell, WA 98011
michael.mcmanus at att.com
-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com at mindrot.org> On Behalf Of Jochen Bern
Sent: Wednesday, July 5, 2023 1:52 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: Subsystem sftp invoked even though forced command created
On 05.07.23 02:50, Damien Miller wrote:
> Some possibilities:
> 1. the receive.ksh script is faulty in some way that causes it to invoke
> sftp-server
How would the script even *know* that the client requested the SFTP
subsystem? Is a subsystem's executable/path, supposedly internally
overwritten with the forced command at that point, exposed through
$SSH_ORIGINAL_COMMAND ?
(As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest"
on the server while WinSCP has a "hacked" session open. If the
sftp-server process turns out to be a child of the script, bingo. If
not, the script could still be the culprit, but then we'd know that it
must "exec" the sftp-server or somesuch, rather than calling it
"normally" as a subprocess.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
More information about the openssh-unix-dev
mailing list