[scponly] shells inheriting the scponlyc chroot ?
Arone Silimantia
aronesimi at yahoo.com
Mon Dec 18 16:20:57 EST 2006
I did the following with my scponly setup:
1. put 'sh' into the chroot
2. hacked up scponly such that it now allows the
remote user to run a status.sh script inside the
chroot
Now, the user cannot run 'sh' remotely over ssh,
because 'sh' is not one of the allowed commands that
scponly can run. So far so good.
Further, the only thing inside of the script that
calls 'sh' is my status.sh script, and it is a very
simple script (and has permissions that disallow
normal users from altering it).
So theoretically, everything is safe.
But just for the sake of argument, I decided to see
what would happen if I changed my status.sh script to
be:
#!/bin/sh
/bin/sh
That is, the script does nothing but fire off 'sh'.
What I found is that the user does indeed get a shell.
I expected this.
What I did not expect was that the shell the user
received when they ran status.sh was _still_ chrooted
into the original chroot that scponlyc put them in.
This is great news - I am very pleasantly surprised.
But my question is, is this normal ? Is it normal in
unix in general, or just something that the scponlyc
chroot does ?
Basically, for my own curiousity, I just want to know
why the spawned 'sh' inherits the chroot of the shell
it was fired off from - and further, if there is any
danger of it getting out ?
All comments welcome!
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the scponly
mailing list