[25953] in bugtraq
Re: ssh environment - circumvention of restricted shells
daemon@ATHENA.MIT.EDU (Markus Friedl)
Wed Jun 26 21:39:23 2002
Date: Wed, 26 Jun 2002 23:58:44 +0200
From: Markus Friedl <markus@openbsd.org>
To: ari <edelkind-bugtraq@episec.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20020626215844.GA28494@faui02>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020625000812.GE7038@episec.com>
On Mon, Jun 24, 2002 at 08:08:12PM -0400, ari wrote:
> Given the similarities with certain other security issues, i'm surprised
> this hasn't been discussed earlier. If it has, people simply haven't
> paid it enough attention.
if you setup restricted accounts with restricted shells and allow
unrestricted writing to .ssh/** then you are lost. same
applies to ftp-only accounts where users have full control over
what's in their $HOME.
so for restricted accounts you have to be very careful, don't
allow writing to $HOME, just to some selected sub directories.
-m
