[scponly] scponly and arbitrary commands

Kaleb Pederson kaleb.pederson at gmail.com
Tue Sep 7 14:37:53 EDT 2010 

On Tuesday, September 07, 2010 11:18:02 am Alan Evans wrote:
> I have a need to restrict users to SCP/SFTP only and there is one case I am
> having trouble telling if scponly will address.
> 
> Does scponly prevent arbitrary command execution?

When configured correctly, yes.
 
> Assume in the following examples that 'host' has the scponly package
> installed on it and the account 'user' has a shell of /usr/bin/scponly.

That's a reasonable assumption, although I'd prefer to use the chrooted option when possible. Accounts can be setup to share chroots or to use individual chroots.

> ssh user at host <command>
> ssh user at host <full path to command>

Here's the general breakdown of how it works:

When the client connects to the host the ssh daemon invokes the users specified shell with certain parameters:

$SHELL -c <command> [<opts>]

When configured correctly, scponly then examines the command and its options and verifies (among other things):

* That the command is allowed, and
* That the options are allowed

Scponly maps both <command> and <full path to command> to /some/fixed/path/to/command as determined at the time scponly is configured.  Thus, the user may specify /some/bad/path/to/command and scponly still maps it to the valid and expected command at location known to scponly

> Examples
> ssh user at host ls
> ssh user at host /bin/ls

These are enabled with scp support.

> ssh user at host /bin/cat /path/to/some/file

cat is not supported.

> Most importantly does it prevent alternate shells?
> 
> ssh -t user at host /bin/bash
> ssh -t user at host /bin/ksh

Yes.  /bin/bash and /bin/ksh are just more commands that get passed to scponly and filtered accordingly, as you've deduced below.

> I would think scponly is unable to prevent this case as the shell is called
> by sshd after looking up a user's shell.  My own limited testing so far
> seems to confirm this but I would like to get the list's thoughts.

If you can go with a chrooted scponly, you can make sure that no other shells are present further limiting the risk that someone figure out a way to execute an arbitrary command.

I would definitely recommend you read through the SECURITY document that's included with scponly as it provides suggestions and warnings on how best to configure it.

-- 
Kaleb Pederson

Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson

More information about the scponly mailing list