bugzilla-daemon at bugzilla.mindrot.org
2009-May-18 20:41 UTC
[Bug 1599] New: "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Summary: "ForceCommand internal-sftp" not working as expected Product: Portable OpenSSH Version: 5.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: openssh-bugs at wulf.eu.org Hello, I tried setting up sshd for chrooted login and sftp-only access. My /etc/ssh/sshd_config contains (among other stuff): Subsystem sftp /usr/lib/openssh/sftp-server Match User foo ChrootDirectory /srv/foo ForceCommand internal-sftp The "Subsystem" option is set by default on debian systems. The manual page says for "ForceCommand": Specifying a command of ?internal-sftp? will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory. When I connect with sftp, sftp requests the subsystem 'sftp'. The output from sshd is: subsystem request for sftp subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or directory subsystem request for sftp failed, subsystem not found Connection closed by 127.0.0.1 Setting "Subsystem sftp internal-sftp" works around the problem, but that option is not allowed inside a Match block. If the stat() call in session_subsystem_req succeeds, is_subsystem is set to SUBSYSTEM_EXT; then do_exec is called, it overrides this and sets is_subsystem = SUBSYSTEM_INT_SFTP. I believe that calling stat() on the external program and then calling the internal sftp handler is not intended behaviour. Regards J?rn Heissler -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 01:50 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Blocks| |1626 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2009-07-31 11:50:47 --- look at this for 5.4 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:56 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1697| |ok? Flag| | --- Comment #2 from Damien Miller <djm at mindrot.org> 2009-10-06 15:56:13 EST --- Created an attachment (id=1697) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1697) downgrade error message on subsystem executable stat() failure to debug I think we can downgrade the error to a warning, but I need to check. dtucker also points out that this will allow the use of subsystems on restricted shells that disallow absolute paths. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-19 23:28 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1697|ok? |ok+ Flag| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-19 23:43 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-11-20 10:43:51 EST --- (From update of attachment 1697)>Index: session.c >==================================================================>RCS file: /cvs/src/usr.bin/ssh/session.c,v >retrieving revision 1.247 >diff -u -p -r1.247 session.c >--- session.c 6 Oct 2009 04:46:40 -0000 1.247 >+++ session.c 6 Oct 2009 04:54:18 -0000 >@@ -1717,11 +1717,10 @@ session_subsystem_req(Session *s) > cmd = options.subsystem_args[i]; > if (!strcmp(INTERNAL_SFTP_NAME, prog)) { > s->is_subsystem = SUBSYSTEM_INT_SFTP; >- } else if (stat(prog, &st) < 0) { >- error("subsystem: cannot stat %s: %s", prog, >- strerror(errno)); >- break; > } else {btw: unbalanced bracket>+ if (stat(prog, &st) < 0) { >+ debug("subsystem: cannot stat %s: %s", >+ prog, strerror(errno)); > s->is_subsystem = SUBSYSTEM_EXT; > } > debug("subsystem: exec() %s", cmd);-- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 00:16 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2009-11-20 11:16:22 EST --- This has been committed and will be in 5.4. Thanks for the report. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:52 UTC
[Bug 1599] "ForceCommand internal-sftp" not working as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2010-03-26 10:52:08 EST --- With the release of 5.4p1, this bug is now considered closed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Maybe Matching Threads
- [patch] fix to ForceCommand to support additional arguments to internal-sftp
- fixed: [patch] fix to ForceCommand to support additional arguments to internal-sftp
- New Subsystem criteria for Match option block in OpenSSH server
- ForceCommand and NFS-shared home directories
- [Bug 1606] New: internal-sftp does not drop conections properly, it will hang