[Secure-testing-team] Bug#876392: restricted-ssh-commands: Suggested configuration is not secure
Gabriel Corona
gabriel.corona at enst-bretagne.fr
Thu Sep 21 17:19:46 UTC 2017
Package: restricted-ssh-commands
Version: 0.3-2
Severity: important
Tags: security
Forwarded: https://github.com/bdrung/restricted-ssh-commands/issues/4
The suggested configuration (in the manpage) is not secure:
^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[^ /]*)?$
^chmod 0644 /srv/reprepro/incoming/[^ /]*$
^reprepro ( -V)? -b /srv/reprepro processincoming foobar$
The first and second regex can be abused to execute arbitrary
commands:
SSH_ORIGINAL_COMMAND='scp -p -t /srv/reprepro/incoming/&echo owned' /usr/lib/restricted-ssh-commands test.conf
# ^^^^
# This is a tab
`/` is blacklisted but a `rm -rf /` can be executed using `$(printf
"\x2f")` for example.
The documentation should probably warn about the dangers of accepting
TAB CR LF $ "" '' `` & ; and so on in the regex.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-- no debconf information
More information about the Secure-testing-team
mailing list