--iVCmgExH7+hIHJ1A
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 07, 2006 at 09:34:34AM +0200, Tevfik Karag=FClle wrote:
> > > >> Create a file named sftponly in bin directory:
> > >=20
> > > #!/bin/bash
> > > if [ "$*" !=3D "-c /bin/sftp-server" ]; then echo "SFTP only!"
> > > exit 1
> > > fi
> > > exec $@

> >=20
> > Please understand, THIS WILL NOT WORK.=20

>
> Thanks for your comments. However, saying 'THIS WILL NOT WORK'
> is not a correct statement, since I can easily see that IT WORKS, WITH
> THE SECURITY IMPLICATIONS YOU MENTION.


Well, we're getting into more of a semantic argument here, but...

You put this shell script forth as a solution to allow people to use
sftp, but prevent them from getting shell access. There are at least
2 ways that I know of to circumvent the script you posted, probably
more... Since it does not actually prevent shell access, it does not
do what was intended, therefore it does not work. My statement was
true and correct.

> I am not defending this little tiny script :-) It all comes to where you
> use it and how you use it. However, this has a huge advantage
> in comparison to the others: It is simple and visible, you don't need
> to introduce a new component into your system with a higher level
> Of complexity.


=2E..except it doesn't work, which is a huge disadvantage, and rather an
important one I should think.

--=20
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D


--iVCmgExH7+hIHJ1A
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFFANludjdlQoHP510RAocxAJ9WUNN0kuuxfECXYXsg1h 3aluZrfwCdFrry
J9cKfd0u4Rx3dbmsZtw7aNM=
=n2l0
-----END PGP SIGNATURE-----

--iVCmgExH7+hIHJ1A--