On Fri, Dec 07, 2007 at 09:24:07AM +0100, Peter Stuge wrote:
> On Thu, Dec 06, 2007 at 09:04:45PM -0600, Larry Becke wrote:
> > *My apologies for mangling this, as I'm not a subscriber, and peter
> > doesn't deign to reply to me as well as the list*

>
> Ah, you mentioned that you weren't subscribed back in the first
> thread? Sorry, I forgot all about that.
>
>
> >> What happens if you (within the scp protocol, not in the shell)
> >> specify e.g. a new directory ../../../../../../../tmp/breakout ?
> >> I would assume that /tmp/breakout is created.

>
> ..
>
> > Using scp as you showed, would not do anything to this method.

> ..
> > what really happens, as near as I've been able to figure out with
> > the information that J.P. sent me, is that the client (or local)
> > system executes the following.
> >
> > ssh -i key_file {remotehost} scp -d -t ../../../../../../../../../../../tmp/breakout

>
> ..
>
> > The ssh key in question, is configured on the server to only run
> > "scp -t /server/selected/path"
> >
> > This overrides the command that was sent by the scp client, and
> > replaces it with what we want to happen.

>
> Right. Which is why I was careful to point out that specifying the
> tmp path in the shell (such as in the example above) will not
> expose the problem.
>
>
> > Now, if the scp protocol can be exploited some how beyond the open
> > file / send contents, then we may have a problem - but that would
> > be the case with scp in general.

>
> Spot on. scp is not designed to confine a user to a given directory.
> This is why you got a couple of different suggestions on how to solve
> the problem in the first place.


About a month ago I submitted a patch to sftp-server to this list that
does exactly that -- against openssh-4.7p1

See:

ftp://files.phcomp.co.uk/files/files/sftp-server.patch

(Will be there for a month)

--
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Chairman of UKUUG: http://www.ukuug.org/
#include
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev