[17020] in bugtraq
Re: rcp file transfer hole (was: scp file transfer hole)
daemon@ATHENA.MIT.EDU (Scott Gifford)
Tue Oct 3 13:16:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m33diebbn5.fsf@sghome.tir.com>
Date: Tue, 3 Oct 2000 03:57:02 -0400
Reply-To: Scott Gifford <sgifford@TIR.COM>
From: Scott Gifford <sgifford@TIR.COM>
X-To: Jan Niehusmann <jan@GONDOR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Jan Niehusmann's message of "Mon, 2 Oct 2000 19:06:46 +0200"
Jan Niehusmann <jan@GONDOR.COM> writes:
> On Mon, Oct 02, 2000 at 01:06:58PM +0200, Markus Friedl wrote:
> > how should this be fixed in a reasonable way? i don't think questions
> > similar to "do you really want to create /bla/bla/bla? (yes/no)" would
> > be useful.
>
> scp could parse the arguments locally. I can only see three cases:
>
> 1) scp is called with two file arguments:
> scp remote:/x/y/file /local/file
>
> in this case, scp should deny any access to files other than /local/file
>
> 2) scp is called with one file and one directory:
> scp remote:/x/y/file /local/dir/
>
> in this case, scp should only allow writes to /local/dir/file, and especially
> not to files in subdirectories of /local/dir/.
>
> 3) scp is called with -r and two directories:
> scp -r remote:/x/y/dir/ /local/dir/
>
> in this case, scp has to allow writes to /local/dir/* and subdirectories,
> but the user should expect that, so its probably ok.
There is one more case:
4) scp is called with multiple files or a pattern, and one directory
scp remote:/x/y/\*.c /local/dir/
scp remote1:/x/y/file1 remote2:/x/y/file2 /local/dir/
in this case, scp should allow writes to /local/dir/*, but not to
subdirectories.
I think that this is by far the best solution I've seen proposed to
this; it solves the problem silently, remaining completely invisible
to users and scripts.
----ScottG.
>
>
> (I said scp, rcp is the same, of course)
>
> Jan
