Date: Sun, 14 Oct 2001 22:58:27 -0400 (EDT) From: Francisco Reyes <lists@natserv.com> To: <cjclark@alum.mit.edu> Cc: FreeBSD Questions List <questions@FreeBSD.ORG> Subject: Re: Automating ssh connections so only one command would run. Message-ID: <20011014225334.V18306-100000@zoraida.natserv.net> In-Reply-To: <20011012222025.I6274@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > >it is trivial to slip commands through scp(1), > > >$ scp 'remote:somefile;touch /tmp/scp_test' . > > > And check for /tmp/scp_test on the remote machine. > > I don't see how this is a security problem. Could you explain? > > I presume you want to limit people to scp(1) so they do not have full > shell access; they can't execute arbitrary commands on the remote > machine. With scp(1), you can do, > > $ cat > command.sh <<EOF > > exec > command.out 2>&1 > > <put your arbitrary commands here> > > EOF > $ scp command.sh remote: > $ scp 'remote:nonexistent; /bin/sh command.sh' . > $ scp remote:command.out . > $ more command.out I just did what you wrote above. All a person would be able to do is to copy the command.sh file/command to the other machine. If I could limit their ability to only run scp and not ssh there would be no harm (in my setup) just by been able to copy arbitrary files. Of course I still need to have a quota so they don't override the space on the other machine, but that is not all too much trouble. > > Automating scp may not be the most secure way to copy data, but is there a > > better way? > scp = ssh = shell access. But I may have misunderstood what you are > trying to achieve. I am just trying to copy 2 files every day from one machine to another. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011014225334.V18306-100000>