RE: ssh environment - circumvention of restricted shells

[Leif Sawyer <lsawyer () gci com>]

Markus Friedl responded 
> On Mon, Jun 24, 2002 at 08:08:12PM -0400, ari wrote:
> > Given the similarities with certain other security issues, 
> > i'm surprised this hasn't been discussed earlier.  If it has,
> > people simply haven't paid it enough attention.
>
> if you setup restricted accounts with restricted shells and allow
> unrestricted writing to .ssh/** then you are lost.  same
> applies to ftp-only accounts where users have full control over
> what's in their $HOME.
>
> so for restricted accounts you have to be very careful, don't
> allow writing to $HOME, just to some selected sub directories.

This can cause some problems for ISP's who use the user home directory
for their public_html root.  This of course is done to keep the number
of user questions down.

I've tried this 'exploit' on both Linux 2.4.14 (redhat) and Solaris 2.8
boxen, and have been unable to get a shell.  The shell process is there,
but fails to communicate with the network socket.  

*** However ***, if i replace "/bin/sh" with "ping some.ip.add.ress"  and
attempt the connection, i'm greeted with the following:

        Last login: today from somehost
        Sun Microsystems Inc.  SunOS 5.8
        ld.so.1: ping: warning: /homes/evil/.ssh/evil.so: open failed:
illegal insecure pathname
        some.ip.add.ress is alive
        Connection to target closed.

Since i'm not a system programmer, I don't know if the failure is due to me
not
setting up the tty that /bin/sh will use, or if it's related to the above
message.

I look forward to more information on this so that we can escalate the true
issue and get it solved.