[scponly] Request review for patch to add support for bbcp to scponly

Craig Tierney Craig.Tierney at noaa.gov
Thu Jun 4 15:45:58 EDT 2009 

Kaleb Pederson wrote:
> Thanks for the patch Craig.
> 
> bbcp looks like a very nice utility, so thank you for bringing it to my attention.
> 
> The patch looks reasonable, but i haven't really reviewed it.
> 
> Some notes, in no particular order:
> 
> * Requiring 'ps' bothers me a bit... (I'm curious what bbcp is doing in this respect)
> * Requiring /proc bothers me even more, and I'm not sure how portable that is to other Unicies
> * The -T and -S command lines should probably be intelligently and selectively disallowed using the getopt support (disallow depending on whether SSH host is SRC/SNK)
> 
> --Kaleb
> 

Sorry I didn't respond sooner.  I didn't see the email come across.

PS is not required.  Although my example below does include it,
everything works fine without it.  BBCP reports an error.  I haven't thought about
what to do.  Right now it just complains.  Should I contact the BBCP authors
to figure it out, just leave it as an error message, or other?

Access to /proc isn't needed, because it is only needed for ps, so
see above discussion on PS.

I will look into the issues with -T and -S.

Craig



> On Thursday 21 May 2009 12:26:29 pm Craig Tierney wrote:
>> I have written a patch to scponly-4.8 so that it can support
>> bbcp.  Bbcp (http://www.slac.stanford.edu/~abh/bbcp/) is a high
>> performance transfer mechanism that relies on ssh for authentication
>> and control, but creates its own channels (multi-threaded) for bulk data transfer.
>> Bbcp gets around the known problems with high-latency, high-bandwidth
>> transfers that are present in scp.
>>
>> The local bbcp calls ssh in the following manner:
>>
>> ssh $SSHOPTS $HOSTNAME bbcp (SNK|SRC)
>>
>> The SNK and SRC text defines which way the channels of the sessions should be created.
>> As far as I can tell, all other communication and configuration is passed through
>> the ssh channel.
>>
>> Bbcp does call one system tool, /bin/ps.  Code has been added to support this.
>> My biggest concern with this (since I am not security expert) is that if you
>> want to use bbcp with a jailed-root environment, you need to mount /proc in
>> the jailed-root.  That filesystem is mostly used for reading system data, however
>> if root access was gained in the jailed-root, then I could see an exploit where
>> any entries in /proc that are writable, the use could write values that could
>> harm or corrupt the system.
>>
>> The patch includes changes to config.h.in and configure.in as well as changes
>> to the code.  The new feature is enabled with --enable-bbcp-compat. I would
>> appreciate it if someone more knowledgeable about scponly than I to review
>> the patch below and see if it looks correct or if I did something "horribly wrong".
>>
>> Thanks,
>> Craig
>>
>> diff -urN scponly-4.8/config.h.in ../scponly-4.8-bbcp/config.h.in
>> --- scponly-4.8/config.h.in     2008-01-15 06:26:13.000000000 +0000
>> +++ ../scponly-4.8-bbcp/config.h.in     2009-05-21 18:43:53.990556000 +0000
>> @@ -14,6 +14,7 @@
>>  #undef PASSWD_COMPAT
>>  #undef ENABLE_SCP2
>>  #undef ENABLE_SFTP
>> +#undef ENABLE_BBCP
>>  #undef SVNSERV_COMPAT
>>  #undef ENABLE_WILDCARDS
>>  #undef RESTRICTIVE_FILENAMES
>> @@ -51,6 +52,11 @@
>>  #define PROG_CD "cd"
>>  #endif /*ENABLE_SCP2*/
>>
>> +#ifdef ENABLE_BBCP
>> +#undef PROG_BBCP
>> +#undef PROG_PS
>> +#endif /*ENABLE_BBCP*/
>> +
>>  /* sftp logging compatibility mode */
>>  #undef SFTP_LOGGING
>>
>> diff -urN scponly-4.8/configure.in ../scponly-4.8-bbcp/configure.in
>> --- scponly-4.8/configure.in    2008-01-15 06:26:13.000000000 +0000
>> +++ ../scponly-4.8-bbcp/configure.in    2009-05-21 18:57:03.645227000 +0000
>> @@ -104,6 +104,17 @@
>>                scponly_sftp_compat=1
>>        ])
>>
>> +AC_ARG_ENABLE([bbcp-compat],
>> +       AC_HELP_STRING([--enable-bbcp-compat], [enable bbcp compatibility]),
>> +       [
>> +               if test "x$enableval" != "xno"; then
>> +                       bbcp_compat=1
>> +                       AC_DEFINE([ENABLE_BBCP])
>> +               fi
>> +       ],[
>> +               echo dnl Defaults to off, must be turned on explicitly
>> +       ])
>> +
>>  AC_ARG_ENABLE([winscp-compat],
>>        AC_HELP_STRING([--enable-winscp-compat], [enable winscp (and scp) compatibility]),
>>        [
>> @@ -244,6 +255,13 @@
>>         SCPONLY_PATH_PROG_DEFINE([PROG_RMDIR], [rmdir], [/bin:/usr/bin:/sbin:/usr/sbin])
>>  fi
>>
>> +#Add options for bbcp
>> +if test "x$enable_bbcp_compat" != "x"; then
>> +       AC_MSG_NOTICE([enabling bbcp compatability...])
>> +       SCPONLY_PATH_PROG_DEFINE([PROG_BBCP], [bbcp], [/bin:/usr/bin])
>> +       SCPONLY_PATH_PROG_DEFINE([PROG_PS], [ps], [/bin:/usr/bin])
>> +fi
>> +
>>  dnl Check for binaries required by the WinSCP compatibility mode
>>  dnl winscp-compat conditionals:
>>  if test "x$enable_winscp_compat" != "xno"; then
>> diff -urN scponly-4.8/scponly.c ../scponly-4.8-bbcp/scponly.c
>> --- scponly-4.8/scponly.c       2008-01-15 06:28:24.000000000 +0000
>> +++ ../scponly-4.8-bbcp/scponly.c       2009-05-21 19:03:29.733811000 +0000
>> @@ -62,6 +62,11 @@
>>         { PROG_RSYNC, 1 },
>>  #endif /*ENABLE_RSYNC*/
>>
>> +#ifdef ENABLE_BBCP
>> +       { PROG_BBCP, 1 },
>> +       { PROG_PS, 1 },
>> +#endif /*ENABLE_BBCP*/
>> +
>>  #ifdef PASSWD_COMPAT
>>         { PROG_PASSWD, 1 },
>>  #endif /*ENABLE_PASSWD*/
>> @@ -744,6 +749,10 @@
>>         if (exact_match(av[0],PROG_SCP))
>>                 av = expand_wildcards(av);
>>  #endif
>> +#ifdef ENABLE_BBCP
>> +       if (exact_match(av[0],PROG_BBCP))
>> +               av = expand_wildcards(av);
>> +#endif
>>  #endif
>>
>>  /*
>>
>>
>>
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly


-- 
Craig Tierney (craig.tierney at noaa.gov)

More information about the scponly mailing list