From owner-freebsd-isp Mon Nov 23 12:51:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14588 for freebsd-isp-outgoing; Mon, 23 Nov 1998 12:51:00 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from wind.freenet.am ([194.151.101.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14568; Mon, 23 Nov 1998 12:50:38 -0800 (PST) (envelope-from casper@acc.am) Received: from lemming.acc.am (acc.freenet.am [194.151.101.251]) by wind.freenet.am (8.9.1/8.9.1) with ESMTP id AAA23861; Tue, 24 Nov 1998 00:50:30 +0400 (GMT) Received: from acc.am (nightmar.acc.am [192.168.100.108]) by lemming.acc.am (8.9.1a/8.9.1) with ESMTP id AAA12984; Tue, 24 Nov 1998 00:51:02 +0400 (AMT) Message-ID: <3659CAA1.D016100F@acc.am> Date: Tue, 24 Nov 1998 00:50:41 +0400 From: Casper Organization: ACC X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: logical bug in SSH 2.0 + FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When setuped restricted shell for users , for example rbash and $PATH restricted (by using login classes) to the some directory (say /usr/local/rbin) where placed links to the executables allowed to the clients any client can use ssh to get unrestricted shell .... Sshd2 setting PATH variable to the "/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin" by default(this can be overriden at compile time) so clients can run any shell located in the PATH and get unristricted shell .. PATH can be overriden by /etc/environment file , but how will admins use ssh ... ? Same bug presents in the sftpd .... if you put :ftp-chroot: option in the user login class , sftpd ignoring this ...... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message