[scponly] Request review for patch to add support for bbcp to scponly

Kaleb Pederson kaleb.pederson at gmail.com
Tue May 26 13:01:31 EDT 2009 

Thanks for the patch Craig.

bbcp looks like a very nice utility, so thank you for bringing it to my attention.

The patch looks reasonable, but i haven't really reviewed it.

Some notes, in no particular order:

* Requiring 'ps' bothers me a bit... (I'm curious what bbcp is doing in this respect)
* Requiring /proc bothers me even more, and I'm not sure how portable that is to other Unicies
* The -T and -S command lines should probably be intelligently and selectively disallowed using the getopt support (disallow depending on whether SSH host is SRC/SNK)

--Kaleb

On Thursday 21 May 2009 12:26:29 pm Craig Tierney wrote:
> 
> I have written a patch to scponly-4.8 so that it can support
> bbcp.  Bbcp (http://www.slac.stanford.edu/~abh/bbcp/) is a high
> performance transfer mechanism that relies on ssh for authentication
> and control, but creates its own channels (multi-threaded) for bulk data transfer.
> Bbcp gets around the known problems with high-latency, high-bandwidth
> transfers that are present in scp.
> 
> The local bbcp calls ssh in the following manner:
> 
> ssh $SSHOPTS $HOSTNAME bbcp (SNK|SRC)
> 
> The SNK and SRC text defines which way the channels of the sessions should be created.
> As far as I can tell, all other communication and configuration is passed through
> the ssh channel.
> 
> Bbcp does call one system tool, /bin/ps.  Code has been added to support this.
> My biggest concern with this (since I am not security expert) is that if you
> want to use bbcp with a jailed-root environment, you need to mount /proc in
> the jailed-root.  That filesystem is mostly used for reading system data, however
> if root access was gained in the jailed-root, then I could see an exploit where
> any entries in /proc that are writable, the use could write values that could
> harm or corrupt the system.
> 
> The patch includes changes to config.h.in and configure.in as well as changes
> to the code.  The new feature is enabled with --enable-bbcp-compat. I would
> appreciate it if someone more knowledgeable about scponly than I to review
> the patch below and see if it looks correct or if I did something "horribly wrong".
> 
> Thanks,
> Craig
> 
> diff -urN scponly-4.8/config.h.in ../scponly-4.8-bbcp/config.h.in
> --- scponly-4.8/config.h.in     2008-01-15 06:26:13.000000000 +0000
> +++ ../scponly-4.8-bbcp/config.h.in     2009-05-21 18:43:53.990556000 +0000
> @@ -14,6 +14,7 @@
>  #undef PASSWD_COMPAT
>  #undef ENABLE_SCP2
>  #undef ENABLE_SFTP
> +#undef ENABLE_BBCP
>  #undef SVNSERV_COMPAT
>  #undef ENABLE_WILDCARDS
>  #undef RESTRICTIVE_FILENAMES
> @@ -51,6 +52,11 @@
>  #define PROG_CD "cd"
>  #endif /*ENABLE_SCP2*/
> 
> +#ifdef ENABLE_BBCP
> +#undef PROG_BBCP
> +#undef PROG_PS
> +#endif /*ENABLE_BBCP*/
> +
>  /* sftp logging compatibility mode */
>  #undef SFTP_LOGGING
> 
> diff -urN scponly-4.8/configure.in ../scponly-4.8-bbcp/configure.in
> --- scponly-4.8/configure.in    2008-01-15 06:26:13.000000000 +0000
> +++ ../scponly-4.8-bbcp/configure.in    2009-05-21 18:57:03.645227000 +0000
> @@ -104,6 +104,17 @@
>                scponly_sftp_compat=1
>        ])
> 
> +AC_ARG_ENABLE([bbcp-compat],
> +       AC_HELP_STRING([--enable-bbcp-compat], [enable bbcp compatibility]),
> +       [
> +               if test "x$enableval" != "xno"; then
> +                       bbcp_compat=1
> +                       AC_DEFINE([ENABLE_BBCP])
> +               fi
> +       ],[
> +               echo dnl Defaults to off, must be turned on explicitly
> +       ])
> +
>  AC_ARG_ENABLE([winscp-compat],
>        AC_HELP_STRING([--enable-winscp-compat], [enable winscp (and scp) compatibility]),
>        [
> @@ -244,6 +255,13 @@
>         SCPONLY_PATH_PROG_DEFINE([PROG_RMDIR], [rmdir], [/bin:/usr/bin:/sbin:/usr/sbin])
>  fi
> 
> +#Add options for bbcp
> +if test "x$enable_bbcp_compat" != "x"; then
> +       AC_MSG_NOTICE([enabling bbcp compatability...])
> +       SCPONLY_PATH_PROG_DEFINE([PROG_BBCP], [bbcp], [/bin:/usr/bin])
> +       SCPONLY_PATH_PROG_DEFINE([PROG_PS], [ps], [/bin:/usr/bin])
> +fi
> +
>  dnl Check for binaries required by the WinSCP compatibility mode
>  dnl winscp-compat conditionals:
>  if test "x$enable_winscp_compat" != "xno"; then
> diff -urN scponly-4.8/scponly.c ../scponly-4.8-bbcp/scponly.c
> --- scponly-4.8/scponly.c       2008-01-15 06:28:24.000000000 +0000
> +++ ../scponly-4.8-bbcp/scponly.c       2009-05-21 19:03:29.733811000 +0000
> @@ -62,6 +62,11 @@
>         { PROG_RSYNC, 1 },
>  #endif /*ENABLE_RSYNC*/
> 
> +#ifdef ENABLE_BBCP
> +       { PROG_BBCP, 1 },
> +       { PROG_PS, 1 },
> +#endif /*ENABLE_BBCP*/
> +
>  #ifdef PASSWD_COMPAT
>         { PROG_PASSWD, 1 },
>  #endif /*ENABLE_PASSWD*/
> @@ -744,6 +749,10 @@
>         if (exact_match(av[0],PROG_SCP))
>                 av = expand_wildcards(av);
>  #endif
> +#ifdef ENABLE_BBCP
> +       if (exact_match(av[0],PROG_BBCP))
> +               av = expand_wildcards(av);
> +#endif
>  #endif
> 
>  /*
> 
> 
>

More information about the scponly mailing list