ALT Linux Sisyphus discussions
 help / color / mirror / Atom feed
* [sisyphus] chroot ssh & sftp
@ 2003-12-02 11:30 Marat Khairullin
  2003-12-02 11:38 ` Dmitry V. Levin
  0 siblings, 1 reply; 5+ messages in thread
From: Marat Khairullin @ 2003-12-02 11:30 UTC (permalink / raw)
  To: sisyphus

Понадобилось внешнему юзеру ограничить доступ по ssh/sftp только одним каталогом.
Можно руками создать конфигурацию в /etc/chroot.d, но слишком много туда пихать придется...
Может есть другие способы?


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [sisyphus] chroot ssh & sftp
  2003-12-02 11:30 [sisyphus] chroot ssh & sftp Marat Khairullin
@ 2003-12-02 11:38 ` Dmitry V. Levin
  2003-12-03 10:33   ` Marat Khairullin
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry V. Levin @ 2003-12-02 11:38 UTC (permalink / raw)
  To: ALT Linux Sisyphus mailing list

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]

On Tue, Dec 02, 2003 at 02:30:54PM +0300, Marat Khairullin wrote:
> Понадобилось внешнему юзеру ограничить доступ по ssh/sftp только одним каталогом.
> Можно руками создать конфигурацию в /etc/chroot.d, но слишком много туда пихать придется...
> Может есть другие способы?

Посмотрите ftp://ftp.altlinux.org/pub/people/ldv/rshell/


-- 
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [sisyphus] chroot ssh & sftp
  2003-12-02 11:38 ` Dmitry V. Levin
@ 2003-12-03 10:33   ` Marat Khairullin
  2003-12-03 10:36     ` Marat Khairullin
  2004-10-24 15:41     ` Michael Shigorin
  0 siblings, 2 replies; 5+ messages in thread
From: Marat Khairullin @ 2003-12-03 10:33 UTC (permalink / raw)
  To: sisyphus

On Tue, 2 Dec 2003 14:38:19 +0300
"Dmitry V. Levin" <ldv@altlinux.org> wrote:

> On Tue, Dec 02, 2003 at 02:30:54PM +0300, Marat Khairullin wrote:
> > Понадобилось внешнему юзеру ограничить доступ по ssh/sftp только одним каталогом.
> > Можно руками создать конфигурацию в /etc/chroot.d, но слишком много туда пихать придется...
> > Может есть другие способы?
> 
> Посмотрите ftp://ftp.altlinux.org/pub/people/ldv/rshell/
> 

  Спасибо, для ssh это помогло, а для sftp - нашел rssh в Сизифе/SRPMS.
Хорошо бы иметь для него готовые файлы в /etc/chroot.d,
хоть это и не всем надо и каждый по своему привык делать...
  Не смог найти - кто же его собирает? В i586 его не оказалось,
поиск http://www.altlinux.ru/index.php?module=sisyphus&package=rssh
тоже ни чего не дал (да и работает он как-то странно).


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [sisyphus] chroot ssh & sftp
  2003-12-03 10:33   ` Marat Khairullin
@ 2003-12-03 10:36     ` Marat Khairullin
  2004-10-24 15:41     ` Michael Shigorin
  1 sibling, 0 replies; 5+ messages in thread
From: Marat Khairullin @ 2003-12-03 10:36 UTC (permalink / raw)
  To: sisyphus

On Wed, 3 Dec 2003 13:33:06 +0300
Marat Khairullin <xmm@altlinux.ru> wrote:

> тоже ни чего не дал (да и работает он как-то странно).
Имеется в виду поиск :)


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [sisyphus] chroot ssh & sftp
  2003-12-03 10:33   ` Marat Khairullin
  2003-12-03 10:36     ` Marat Khairullin
@ 2004-10-24 15:41     ` Michael Shigorin
  1 sibling, 0 replies; 5+ messages in thread
From: Michael Shigorin @ 2004-10-24 15:41 UTC (permalink / raw)
  To: sisyphus


[-- Attachment #1.1: Type: text/plain, Size: 356 bytes --]

On Wed, Dec 03, 2003 at 01:33:06PM +0300, Marat Khairullin wrote:
> > > Может есть другие способы?
> > Посмотрите ftp://ftp.altlinux.org/pub/people/ldv/rshell/
> Спасибо, для ssh это помогло, а для sftp - нашел rssh в Сизифе/SRPMS.

См. тж. аттач.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

[-- Attachment #1.2: Type: message/rfc822, Size: 5115 bytes --]

[-- Attachment #1.2.1.1: Type: text/plain, Size: 2475 bytes --]

PIZZACODE SECURITY ALERT

program:	rssh
risk:		low[*]
problem:	string format vulnerability in log.c
details:

rssh is a restricted shell for use with OpenSSH, allowing only scp
and/or sftp. For example, if you have a server which you only want to
allow users to copy files off of via scp, without providing shell
access, you can use rssh to do that.  Additioanlly, running rsync,
rdist, and cvs are supported, and access can be configured on a
per-user basis using a simple text-based configuration file.  The rssh
homepage is here:

  http://www.pizzashack.org/rssh/

Florian Schilhabel has identified a format string bug which can allow
an attacker to run arbitrary code from an account configured to use
rssh.  [*]In general the risk is low, as in most cases the user can
only compromise their own account.  The risk is mittigated by the fact
that before this bug can be exploited, the user must log in
successfully through ssh.  This means that either the user is known to
the system (and therefore the administrators), or that the system is
probably already compromised.

However, on some older systems with broken implementations of the
setuid() family of functions, a root compromise may be possible with
certain configurations of rssh.  Specifically, if rssh is configured
to use a chroot jail, it will exec() rssh_chroot_helper, which must be
setuid root in order to call chroot().  Normally, rssh_chroot_helper
calls setuid(getuid()) and drops privileges before any of the logging
functions are called, making a root compromise impossible on most
systems.  However, some older systems which handle saved UIDs
improperly may be vulnerable to a root compromise.  Linux in
particular is not vulnerable to this, nor should modern
POSIX-compliant Unix variants be.  POSIX defines that the setuid()
system call will set all UIDs (UID, saved UID, and effective UID) the
specified UID if it is called with root privileges.  Therefore in
general, a root compromise is not possible, and I am not specifically
aware of any systems on which one is possible.

The 2.2.2 release of rssh fixes this string format vulnerability.  I
have also gone over the code to make sure that no other such
vulnerabilities exist.  In addition to fixing this problem, rssh
contains some new code to help identify certain problems for debugging
problems when rssh fails.  Additional logging of error conditions is
performed.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D


[-- Attachment #1.2.1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-10-24 15:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-12-02 11:30 [sisyphus] chroot ssh & sftp Marat Khairullin
2003-12-02 11:38 ` Dmitry V. Levin
2003-12-03 10:33   ` Marat Khairullin
2003-12-03 10:36     ` Marat Khairullin
2004-10-24 15:41     ` Michael Shigorin

ALT Linux Sisyphus discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
		sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
	public-inbox-index sisyphus

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.sisyphus


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git