bugzilla-daemon at bugzilla.mindrot.org
2009-May-18 20:41 UTC
[Bug 1599] New: "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Summary: "ForceCommand internal-sftp" not working as
expected
Product: Portable OpenSSH
Version: 5.2p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: openssh-bugs at wulf.eu.org
Hello,
I tried setting up sshd for chrooted login and sftp-only access. My
/etc/ssh/sshd_config contains (among other stuff):
Subsystem sftp /usr/lib/openssh/sftp-server
Match User foo
ChrootDirectory /srv/foo
ForceCommand internal-sftp
The "Subsystem" option is set by default on debian systems.
The manual page says for "ForceCommand": Specifying a command of
?internal-sftp? will force the use of an in-process sftp server that
requires no support files when used with ChrootDirectory.
When I connect with sftp, sftp requests the subsystem 'sftp'. The
output from sshd is:
subsystem request for sftp
subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or
directory
subsystem request for sftp failed, subsystem not found
Connection closed by 127.0.0.1
Setting "Subsystem sftp internal-sftp" works around the problem, but
that option is not allowed inside a Match block.
If the stat() call in session_subsystem_req succeeds, is_subsystem is
set to SUBSYSTEM_EXT; then do_exec is called, it overrides this and
sets is_subsystem = SUBSYSTEM_INT_SFTP.
I believe that calling stat() on the external program and then calling
the internal sftp handler is not intended behaviour.
Regards
J?rn Heissler
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 01:50 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Blocks| |1626
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2009-07-31
11:50:47 ---
look at this for 5.4
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:56 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1697| |ok?
Flag| |
--- Comment #2 from Damien Miller <djm at mindrot.org> 2009-10-06 15:56:13
EST ---
Created an attachment (id=1697)
--> (https://bugzilla.mindrot.org/attachment.cgi?id=1697)
downgrade error message on subsystem executable stat() failure to debug
I think we can downgrade the error to a warning, but I need to check.
dtucker also points out that this will allow the use of subsystems on
restricted shells that disallow absolute paths.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-19 23:28 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1697|ok? |ok+
Flag| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-19 23:43 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-11-20 10:43:51 EST --- (From update of attachment 1697)>Index: session.c >==================================================================>RCS file: /cvs/src/usr.bin/ssh/session.c,v >retrieving revision 1.247 >diff -u -p -r1.247 session.c >--- session.c 6 Oct 2009 04:46:40 -0000 1.247 >+++ session.c 6 Oct 2009 04:54:18 -0000 >@@ -1717,11 +1717,10 @@ session_subsystem_req(Session *s) > cmd = options.subsystem_args[i]; > if (!strcmp(INTERNAL_SFTP_NAME, prog)) { > s->is_subsystem = SUBSYSTEM_INT_SFTP; >- } else if (stat(prog, &st) < 0) { >- error("subsystem: cannot stat %s: %s", prog, >- strerror(errno)); >- break; > } else {btw: unbalanced bracket>+ if (stat(prog, &st) < 0) { >+ debug("subsystem: cannot stat %s: %s", >+ prog, strerror(errno)); > s->is_subsystem = SUBSYSTEM_EXT; > } > debug("subsystem: exec() %s", cmd);-- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 00:16 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2009-11-20
11:16:22 EST ---
This has been committed and will be in 5.4. Thanks for the report.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:52 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
10:52:08 EST ---
With the release of 5.4p1, this bug is now considered closed.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [patch] fix to ForceCommand to support additional arguments to internal-sftp
- fixed: [patch] fix to ForceCommand to support additional arguments to internal-sftp
- New Subsystem criteria for Match option block in OpenSSH server
- ForceCommand and NFS-shared home directories
- [Bug 1606] New: internal-sftp does not drop conections properly, it will hang