[Gllug] Limiting SSH access
Richard W.M. Jones
rich at annexia.org
Thu Apr 3 11:01:22 UTC 2003
On Thu, Apr 03, 2003 at 09:39:17AM +0100, Mark Lowes wrote:
> The only thing I can think of is that you put all those users into a
> group which cannot run any programs other than those you have explicitly
> specified.
This doesn't work because it's possible to upload pre-built
binary files, even if you've denied scp access.
eg:
uuencode evil_program < evil_program | ssh remote uudecode
ssh remote chmod +x evil_program
ssh remote ./evil_program
Or if you remove uudecode, then:
(a) Write a shell script which when run generates evil_program.
(b) ssh remote
(c) Cut and paste shell script into window.
(d) /bin/bash evil_script (generates evil_program)
(e) Run ./evil_program
On the project I mentioned in the earlier email we mounted /home
with the 'noexec' flag so users couldn't execute anything from it!
And I checked every RPM by hand to make sure it wasn't installing
any world-writable directories (you'd be surprised how many RPMs did
do that :-)
Rich.
--
Richard Jones, Red Hat Inc. (London office, UK) http://www.redhat.com/
http://www.annexia.org/ Freshmeat projects: http://freshmeat.net/users/rwmj
NET::FTPSERVER is a full-featured, secure, configurable, database-backed
FTP server written in Perl: http://www.annexia.org/freeware/netftpserver/
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list