Re: scp exploit
- From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
- Date: 19 Feb 2006 09:02:24 GMT
On 2006-02-17, Jesse Charbneau <groups@xxxxxxxxxxxxxxxxx> wrote:
Ok, so. let me wrap my head around this. If a user tries to copy a
local file using scp (isn't that what we use cp for),
Or local -> remote.
another user could boobytrap, say /tmp. The user copying some
directory out of tmp, or series of files from /tmp will then risk the
possibily of accidentally executing something in that directory, due to
metacharaters being embedded in the filename.
This begs a couple of questions.
First, who would using scp for local file copying, and why?
Second, I have seen something on the web about "scponly", is this a
decent replacement for scp? I also saw lots of security bulletins.
Those restricted shells should prevent passing of shell metacharacters
to remote processes, which is a very similar but unrelated issue.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Prev by Date: Re: sshd -i startup time
- Next by Date: Re: cygwin scp -r fails
- Previous by thread: Re: scp exploit
- Next by thread: Is it possible to restrict the use of private keys to specific users ?