On 2014-09-27 00:45:19 +0100, Philip Martin wrote:
> Vincent Lefevre writes:
> > How can this be possible? Do you mean that OpenSSH starts the command
> > with bash instead of some exec* function or /bin/sh (which is dash on
> > my machines)?
>
> OpenSSH uses the login shell for the user, from se
On Fri, Sep 26, 2014 at 6:59 PM, Vincent Lefevre wrote:
> On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
>> From what I understand after reading about the problem briefly:
>>
>> In an svn+ssh setup svn clients run 'svnserve -t' by default.
>> But there is no reason this could not be changed
Vincent Lefevre writes:
> How can this be possible? Do you mean that OpenSSH starts the command
> with bash instead of some exec* function or /bin/sh (which is dash on
> my machines)?
OpenSSH uses the login shell for the user, from session.c:
/*
* Execute the command using the
On Sep 26, 2014, at 3:59 PM, Vincent Lefevre wrote:
> On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
>> From what I understand after reading about the problem briefly:
>>
>> In an svn+ssh setup svn clients run 'svnserve -t' by default.
>> But there is no reason this could not be changed t
On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
> From what I understand after reading about the problem briefly:
>
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
>
> Note that forcing a comm
On Thu, Sep 25, 2014 at 5:25 AM, Bert Huijben wrote:
>
>
>> -Original Message-
>> From: Stefan Sperling [mailto:s...@elego.de]
>> Sent: donderdag 25 september 2014 10:09
>> To: Nico Kadel-Garcia
>> Cc: Les Mikesell; users
>> Subject: Re: ssh+svn v
On Thu, Sep 25, 2014 at 4:08 AM, Stefan Sperling wrote:
> On Wed, Sep 24, 2014 at 07:30:57PM -0400, Nico Kadel-Garcia wrote:
>> Setting up a chroot for Subversion for just this purpose gets...
>> potentially adventuresome. The maintainers of OpenSSH have generically
>> refused to support chroot ch
> -Original Message-
> From: Stefan Sperling [mailto:s...@elego.de]
> Sent: donderdag 25 september 2014 10:09
> To: Nico Kadel-Garcia
> Cc: Les Mikesell; users
> Subject: Re: ssh+svn vs. bash security bug?
>
> On Wed, Sep 24, 2014 at 07:30:57PM -0400,
On Wed, Sep 24, 2014 at 07:30:57PM -0400, Nico Kadel-Garcia wrote:
> Setting up a chroot for Subversion for just this purpose gets...
> potentially adventuresome. The maintainers of OpenSSH have generically
> refused to support chroot changes, so it's a bit awkward to even set
> up. Various folks h
On Wed, Sep 24, 2014 at 12:28 PM, Stefan Sperling wrote:
> On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
>> Does the recently announced bash bug:
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> affect the security
On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
> Does the recently announced bash bug:
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> affect the security of the way people generally configure svn+ssh access?
>
> --
Does the recently announced bash bug:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
affect the security of the way people generally configure svn+ssh access?
--
Les Mikesell
lesmikes...@gmail.com
12 matches
Mail list logo
