1

I have the requirement to set up some kind of repository that can be read using SCP. Client users shall not be able to see/damage/execute/... anything else.

I read through Restricting an SSH/SCP/SFTP user to a directory and similar, so rssh, scponly, chroot-based methods are known. Also, let's ignore SFTP.

Ideally I'd like not to install anything nor copy around libs etc for a true chroot-based way. So I thought about a shell script like this:

#!/bin/sh

echo "$(date) $*" >> /tmp/scpwrap.log

# Allow only plain SCP get, neither -r nor -v etc
if [ "${1}" = "-c" ] && expr "${2}" : '^scp -f ' >/dev/null
then
  shift

  files=$(echo $1 | sed 's/scp -f //')
  echo "SCPing ${files}" >> /tmp/scpwrap.log

  # However, permit multiple files (e.g. /tmp/x*)
  for f in ${files}
  do
   if [ ! -O "${f}" -o -w "${f}" ]
   then
     echo "Can only get read-only files owned by $(whoami)." >&2
     ls -l "${f}" >> /tmp/scpwrap.log
     exit 1
   fi
  done

  echo "Executing $*" >> /tmp/scpwrap.log
  exec $*
fi

[ "${1}" = "-c" ] && shift
echo "Executing $* not permitted." >&2
exit 1

and then:

# useradd -m -s /tmp/scpwrap.sh scpwrap

If I now copy repo content into ~scpwrap and give it the right ownership/permissions, that could be sufficient to allow:

client$ scp 'scpwrap@reposerver:repo/bla*' /tmp

Looks almost too simple though ... Any concerns or improvements? Many thx!!

Community
  • 1
tge
  • 13

1 Answers1

2

Concern: you clearly do not know how to write a secure shell script. Your code is obviously broken because of missing double quotes, which is a security bug, not just a functional bug.

If you actually want this to be secure, don't write your own. As a security engineer I would outright reject your homemade solution since established solutions exist. I'd do this even it didn't look broken at first sight. Use a tool like rssh or scponly. Installing them is less work than writing your own script, and is far more likely to be secure.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
  • Many thx for the ref regarding the quoting, nice summary. The script above was just an experiment to show the idea. Regarding the "outright reject": I see that there are better ways, but let's assume I cannot use them for whatever reason. Do you see any specific/known or just potential/still unknown/... risks (bad enough, agreed)? – tge Jan 18 '17 at 09:49
  • @tge What happens if the user wants to copy a file called -S and a file called sh? What happens when there's a symbolic link in the user's directory? There are so many cases that you obviously haven't considered that what you have is not a serious proposal for a restricted scp. If you can't use better ways then you can't have restricted scp. – Gilles 'SO- stop being evil' Jan 18 '17 at 10:52
  • OK - accepted. Originally I liked the simplicity (the simpler, the less options for attackers), however the complexity of the shell with all its interpretations etc destroys that - so a shell script is probably really the wrong way. – tge Jan 18 '17 at 11:21