Package: restricted-ssh-commands Version: 0.3-2 Severity: important Tags: security Forwarded: https://github.com/bdrung/restricted-ssh-commands/issues/4
The suggested configuration (in the manpage) is not secure: ^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[^ /]*)?$ ^chmod 0644 /srv/reprepro/incoming/[^ /]*$ ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$ The first and second regex can be abused to execute arbitrary commands: SSH_ORIGINAL_COMMAND='scp -p -t /srv/reprepro/incoming/&echo owned' /usr/lib/restricted-ssh-commands test.conf # ^^^^ # This is a tab `/` is blacklisted but a `rm -rf /` can be executed using `$(printf "\x2f")` for example. The documentation should probably warn about the dangers of accepting TAB CR LF $ "" '' `` & ; and so on in the regex. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- no debconf information _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team