Re: scp exploit

Thanks for the responses!

Ok, so. let me wrap my head around this. If a user tries to copy a
local file using scp (isn't that what we use cp for), then
another user could boobytrap, say /tmp. The user copying some
directory out of tmp, or series of files from /tmp will then risk the
possibily of accidentally executing something in that directory, due to
metacharaters being embedded in the filename.

This begs a couple of questions.

First, who would using scp for local file copying, and why?

Second, I have seen something on the web about "scponly", is this a
decent replacement for scp? I also saw lots of security bulletins.

Also, I am familiar with meta characters, but would like to read up
more on them after this discussion, any good links you can point me to?
I'll google it, but maybe you guys have some good articles stored

Thanks for the information, very enlightening.



Relevant Pages

  • Re: scp exploit
    ... Or local -> remote. ... The user copying some ... First, who would using scp for local file copying, and why? ...
  • Re: cp that shows progress?
    ... I would really like "cp" that would show progress bar, sort of like ... scp when it works over ssh. ... you can use scp with two local file names. ... but in this case scp does not show progress bar. ...
  • Re: rsync and scp to my website suddenly dont work
    ... shell will substitute the local file names if you have a file or directory ... called MySshAccount or MySshaccount:hostname, which scp has a bad habit ... Host somehost ... Then you can just do scp hostname:files and it will get the user name ...
  • How to scp without user interation
    ... Is there any method to do scp with suppling the passwd from for instance ... local file. ...