[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp

bugzilla at redhat.com bugzilla at redhat.com
Tue Oct 28 20:27:51 UTC 2008


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=456182





--- Comment #20 from Derek Martin <code at pizzashack.org>  2008-10-28 16:27:49 EDT ---
(In reply to comment #19)

> Well, /etc/shells also has /sbin/nologin. Won't that cause some of the above
> problems too?

Indeed it would...  All of the above would apply to nologin as well, though in
some cases (e.g. the ftp server case and the sendmail .forward case) the exact
configuration of the system can come into play. 

I'm not really at liberty to test any of this at the moment, but I think the
chsh DoS example should be easy to reproduce...  If you can change your shell
to nologin, you can lock yourself out of the system (and so can an
opportunistic malicious user), requiring root intervention.

Bear in mind that the list of examples I provided is by no means exhaustive...

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.




More information about the Fedora-package-review mailing list