[patch] sftp-server basepath [yet another]

Hi,

I made this simple path to make sftp-server restricted to a basepath!

This was done because use sshfs [wich base is sftp-server] to allow people
access medias [ cdrom,dvdrom, floppy, usb] from x-terms.

Those x-terms [ diskless] does not have all users, so we share a single user
and a DSA empty passphrase, with some acl scipts at .ssh/authorized keys.

Main usage of this patch is to NOT allow a user who mounted a floppy access
other mounted media from another user.

Usage:
sftp-server -b <path>

My page includes this path: http://www.inf.ufpr.br/ribas/sshfs_help/

And it is attached too.

Thanks for atention

Bruno Ribas
--

-- 
Bruno Ribas - ribas <at> c3sl.ufpr.br
http://web.inf.ufpr.br/ribas
C3SL: http://www.c3sl.ufpr.br 

Re: [patch] sftp-server basepath [yet another]

On Sat, Sep 01, 2007 at 05:22:11PM -0300, Bruno Cesar Ribas wrote:
> I made this simple path to make sftp-server restricted to a basepath!
[...]
> +	if(strncmp(basepath,realpath(path,NULL),strlen(basepath))==0) {

Passing a NULL as the second argument to realpath is a) nonstandard and
b) makes it malloc the returned string, so this leaks memory.  Also,
realpath can fail and return NULL, in which case this would segfault.

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

{Spam?} Aviso: Detectado v�rus no e-mail

Nosso sistema de detecção de vírus foi ativado por uma mensagem
que você enviou para:-
  To: aduteca <at> aduana-dsp.com.br
  Subject: Re: BRAS Vaga
  Date: Tue Sep  4 17:09:07 2007

Um ou mais dos anexos encontra-se na lista de tipos de arquivo
proíbidos pelo sistema e não poderá ser entregue.

Considere renomear o(s) arquivo(s) anexos ou coloque-os em formato
comprimido ("ZIP") para evitar este tipo de problema.

Nosso sistema de anti-virus relatou o seguinte a respeito da sua mensagem:
Relatório: Reporte: MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (Vaga.pif)
Reporte: Blocked Filetype Detected (Vaga.pif)

--

-- 
Postmaster
Aduana Despachos e Assessoria de Com. Exterior
www.aduana-dsp.com.br

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev <at> mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Announce: OpenSSH 4.7 released

OpenSSH 4.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
        http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.6:
============================

Security bugs resolved in this release:

 * Prevent ssh(1) from using a trusted X11 cookie if creation of an
   untrusted cookie fails; found and fixed by Jan Pechanec.

Other changes, new functionality and fixes in this release:

 * sshd(8) in new installations defaults to SSH Protocol 2 only.

sshd_config -> ChallengeResponseAuthentication

I was under the impression from the provided distribution version of  
the sshd_config file that "ChallengeResponseAuthentication" is  
supposed to default to "yes".

Does anyone know if there are any circumstances, such as configure  
options, that might cause it to default to "no"?

Thanks,
Richard A. Secor
rsecor <at> seqlogic.com
Sequential Logic
http://www.seqlogic.com/
+1.954.931.7374

HPN Patch for OpenSSH 4.7 Available

The HPN-SSH patch set for OpenSSH 4.7 is now available from
http://www.psc.edu/networking/projects/hpn-ssh/openssh-4.7p1-hpn12v18.diff.gz

Its passes all regression tests and my personal sets of tests. We do not 
introduce any new functionality.  However, I expect this is an interim 
release. I hope to have some relatively minor modification available in 
the next month. These will mostly deal with buffering issues for *small* 
BDP connections, a small performance enhancement for bulk data 
transfers, and a couple user configuration/usage changes.

Re: sshd_config -> ChallengeResponseAuthentication

Richard Secor wrote:
> I was under the impression from the provided distribution version of  
> the sshd_config file that "ChallengeResponseAuthentication" is  
> supposed to default to "yes".
> 
> Does anyone know if there are any circumstances, such as configure  
> options, that might cause it to default to "no"?

The Match code changes had a side effect (ie "bug") that changed the 
default of ChallengeResponseAuthentication.   It affected version 4.6 
only, it's fixed ni 4.7.  I can dig up a patch for 4.6 if it helps.

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Openssh4.6p1 Make tests failed in sftp

Hi All,

After configuring and compiling OpenSSH version 4.6p1 in my SUN Solaris8
ultrasparc machine, I run "make tests" and got the following errors. The
compiler used is GCC3.3.

run test sftp.sh ...
test basic sftp put/get: buffer_size 5 num_requests 1
sftp failed with 1
test basic sftp put/get: buffer_size 5 num_requests 2
sftp failed with 1
test basic sftp put/get: buffer_size 5 num_requests 10
sftp failed with 1
test basic sftp put/get: buffer_size 1000 num_requests 1
sftp failed with 1
test basic sftp put/get: buffer_size 1000 num_requests 2
sftp failed with 1

I do not get these errors when running "make tests" with OpenSSH version
4.3p2 in the same machine.

When I installed the 4.6p1 package to my machine and test sftp from a
client, I got the following log messages in the authlog:

Sep  5 17:09:51 wcarsx0h sshd[23483]: subsystem request for sftp
Sep  5 17:09:56 wcarsx0h sftp-server[23840]: error: process_write: write
failed
Sep  5 17:09:56 wcarsx0h sshd[23483]: error: channel 0: chan_read_failed
for ist

Re: Openssh4.6p1 Make tests failed in sftp

John Wong wrote:
> After configuring and compiling OpenSSH version 4.6p1 in my SUN Solaris8
> ultrasparc machine, I run "make tests" and got the following errors. The
> compiler used is GCC3.3.

4.7p1 was just released in the last day or so.  Could you please repeat 
the tests with that version?  I test on Solaris 8/sparc regularly so 
there's no fundamental reason why it shouldn't work.

> I do not get these errors when running "make tests" with OpenSSH version
> 4.3p2 in the same machine.
> 
> When I installed the 4.6p1 package to my machine and test sftp from a
> client, I got the following log messages in the authlog:
> 
> Sep  5 17:09:51 wcarsx0h sshd[23483]: subsystem request for sftp
> Sep  5 17:09:56 wcarsx0h sftp-server[23840]: error: process_write: write
> failed
> Sep  5 17:09:56 wcarsx0h sshd[23483]: error: channel 0: chan_read_failed
> for ist

These are spurious and can be ignored.  They are fixed in 4.7p1.

> Further debugging on process_write of sftp-server.c, I found that the
> errno returned from the "write" function is always "File too large" no
> matter what is the size of the file. I appreciate your help to further
> investigate the possible casue of the problem.

I'm wondering if configure some how got something like large file 
support wrong... Could you please post the content of config.h (eg "grep 

RE: Openssh4.6p1 Make tests failed in sftp

Thanks Darren.

The CFLAGS used in the Makefile is:

CFLAGS=-g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -O
-mcpu=ultrasparc

The contents of '#define' in config.h is:

[ /soamp/SSSecurity/OpenSSH/openssh-4.6p1/src 59 ] grep '#define'
config.h
#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1
#define CONF_LASTLOG_FILE "/var/adm/lastlog"
#define DISABLE_UTMP 1
#define DISABLE_WTMP 1
#define ENTROPY_TIMEOUT_MSEC 200
#define GETPGRP_VOID 1
#define HAS_SHADOW_EXPIRE 1
#define HAVE_ACCRIGHTS_IN_MSGHDR 1
#define HAVE_BASENAME 1
#define HAVE_BCOPY 1
#define HAVE_CLOCK 1
#define HAVE_CLOCK_T 1
#define HAVE_CRYPT_H 1
#define HAVE_DECL_GLOB_NOMATCH 1
#define HAVE_DECL_H_ERRNO 1
#define HAVE_DECL_O_NONBLOCK 1
#define HAVE_DECL_SHUT_RD 1
#define HAVE_DECL_WRITEV 1
#define HAVE_DECL__GETLONG 0