Bugtraq mailing list archives
RE: ssh environment - circumvention of restricted shells
From: Leif Sawyer <lsawyer () gci com>
Date: Wed, 26 Jun 2002 16:41:15 -0800
Markus Friedl responded
On Mon, Jun 24, 2002 at 08:08:12PM -0400, ari wrote:Given the similarities with certain other security issues, i'm surprised this hasn't been discussed earlier. If it has, people simply haven't paid it enough attention.if you setup restricted accounts with restricted shells and allow unrestricted writing to .ssh/** then you are lost. same applies to ftp-only accounts where users have full control over what's in their $HOME. so for restricted accounts you have to be very careful, don't allow writing to $HOME, just to some selected sub directories.
This can cause some problems for ISP's who use the user home directory for their public_html root. This of course is done to keep the number of user questions down. I've tried this 'exploit' on both Linux 2.4.14 (redhat) and Solaris 2.8 boxen, and have been unable to get a shell. The shell process is there, but fails to communicate with the network socket. *** However ***, if i replace "/bin/sh" with "ping some.ip.add.ress" and attempt the connection, i'm greeted with the following: Last login: today from somehost Sun Microsystems Inc. SunOS 5.8 ld.so.1: ping: warning: /homes/evil/.ssh/evil.so: open failed: illegal insecure pathname some.ip.add.ress is alive Connection to target closed. Since i'm not a system programmer, I don't know if the failure is due to me not setting up the tty that /bin/sh will use, or if it's related to the above message. I look forward to more information on this so that we can escalate the true issue and get it solved.
Current thread:
- ssh environment - circumvention of restricted shells ari (Jun 26)
- Re: ssh environment - circumvention of restricted shells Markus Friedl (Jun 26)
- Re: ssh environment - circumvention of restricted shells Jose Nazario (Jun 27)
- <Possible follow-ups>
- RE: ssh environment - circumvention of restricted shells Leif Sawyer (Jun 27)
- Re: ssh environment - circumvention of restricted shells Markus Friedl (Jun 26)