[scponly] Request: Backported security patch for 4.0

[Roland Krystian Alberciak]

Hi Thomas,

Summary: Descrepancy in the user doc for Debian. Suggested correction to the
documentation is enclosed too.







I have one little thing I noticed with the userdoc- a discrepency.

I use Debian in addition to Cygwin. On my debian box where I've setup
scponlyc...


In /usr/share/doc/scponly/README.Debian:

"If clients complain about missing groups, compile
/usr/share/doc/scponly/groups.c and copy the resulting binary into
/bin/groups in the chroot jail."


Actually, I think that is incorrect and may have been overlooked:

If you look in: /usr/share/doc/scponly/setup_chroot/config.h
- And look at where PROG_GROUPS is defined, you'll see (I didn't configure
the package manually, I used apt-get and the setup_chroot.sh script)

#define PROG_GROUPS "/usr/bin/groups"


Which conflicts with the suggestion in README.Debian to move groups to
"/bin/groups". It should instead say:

"If clients complain about missing groups, compile
/usr/share/doc/scponly/groups.c and copy the resulting binary into
/usr/bin/groups in the chroot jail."


I ran across this after getting winscp to complain to me about groups, doing
what README.Debian says, and still having the problem.



-Krystian.


scponly-bounces at lists.ccs.neu.edu wrote:
> Hi!
> 
> In order to prepare fixed packages for Debian Stable, I need
> a backported patch for scponly-4.0 that fixes the two
> critical security bugs from 4.1 (I believe).
> 
> Since there were more changes between 4.0 and 4.1 than the
> two fixed bugs alone, it's kinda hard for me to distinguish
> between what's security related and what's not. Therefore my
> request here, perhaps someone with intimate knowledge with the source
> can help me out. 
> 
> Until then, scponly in Debian Stable will be vulnerable :-(
> 
> Tom
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly