[scponly] scponly interactive question

wbr oblyr joe at sublimation.org
Tue Apr 1 12:50:08 EST 2003 

Roste,

I can help with this.  It is actually very easy if you use sftp.  in the
sftp client, you can simply issue rm commands.

another easy way to handle this is as follows:

ssh -l scponlyuser machinehostname rm somefile

this is how commands are remotely executed under classic ssh usage.  note
that scponly is still the shell here, and will validate that no commands
are piggybacked onto the valid "rm" command (since rm is allowable).  as
usuage things like whitespace will need to be backslashed/doublequoted.

just one last thing, unix file ownership and permissions are still the
protection required to prevent unauthorized rm'ing or overwriting...

joe

----

PGP KEY: http://www.sublimation.org/contact.html
PGP Key fingerprint = EC4B 0DA5 B4F6 BDDD 9176 55D6 3A6A 7D63 158F 22D2


On Tue, 1 Apr 2003, Roste Pal Asmund wrote:

> You are saying that "anyting pretending to be winscp" is able to issue
> commands like chown, rm, scp, .... I find this most interesting. Can anyone
> tell me how i can issue an rm in the scponly "shell". I am having a project
> here where the customer shall login to my site, and get some files, and so I
> have used scponly for good security (since he is not suposed to get full
> access to my server), but it would be nice if he could remove the files he
> had just picked up.
> I have also found a way where I can delete the files he have picked up by
> looking in the syslog.log where the filenames of the files he have gotten
> are.
>
> Can anyone tell me how to issue a rm to the scponly shell?
>
> Pal Asmund Roste
>
> -----Original Message-----
> From: wbr oblyr [mailto:joe at sublimation.org]
> Sent: 25. mars 2003 05:35
> To: Scott Johnson
> Cc: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] scponly interactive question
>
>
>
> hey scott, good question.  i've been wondering why no one every asked this
> question.
>
> what you're seeing is the winscp compatibility feature talking back to
> you.  winscp compatibility *IS* an interactive shell.  if you turn on the
> logging in winscp, you can see what winscp does when it logs in.
>
> basically, winscp (or anything pretending to be winscp) is able to issue
> commands like chown, rm, scp, etc - one after the other without logging
> out.  while this may seem like this completely contracts the point of
> scponly, the only command that is allowed in winscp compatibility that is
> not allowed in the noninteractive nonwinscp mode is "cd".  furthermore,
> the argument checking is not more lenient is winscp-mode than it is in
> nonwinscp mode.  in fact, its the same code.
>
> but, if you're not comfortable with the distinction between an interactive
> and noninteractive shell session, you can easily disable winscp
> compatibility at compile time, like so:
>
> ./configure --disable-winscp-compat
>
> then reinstall and you will find scponly is much less polite to people who
> try to ssh in.
>
> joe
>
> ----
>
> PGP KEY: http://www.sublimation.org/contact.html
> PGP Key fingerprint = EC4B 0DA5 B4F6 BDDD 9176 55D6 3A6A 7D63 158F 22D2
>
>
> On Mon, 24 Mar 2003, Scott Johnson wrote:
>
> > Hello,
> >
> > I'm wondering exactly what happens when I make an interactive connection
> to
> > my server that is running scponly.  When I connect, I get this:
> >
> >  > ssh localhost
> > scottj at localhost's password:
> > Last login: Mon Mar 24 16:57:01 2003 from xxx.xxx.org
> >
> > And then, any text input in that session returns the following line:
> >
> > WinSCP: this is end-of-file:0
> >
> > Why does this happen?  It would seem to me that scponly should not allow
> > this type of interactive session.  What can I do to prevent this?
> >
> > Thanks,
> > Scott
> >
> >
> >
> >
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly
> >
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>

More information about the scponly mailing list