scponly v4.8 - jan 14 2008
fix support for quota and passwd when running within the chroot (exec pre-chroot)
disallow rsync and svnserve from being run as daemons that listen on a port
switch to getopt_long for command processing, use getopt for
sftp-server, svnserve, and quota
abort processing on commands that require getopt when getopt is not available
switched to slightly optimized and more compact debug code
fix unison support within chroots
fix for unison command execution bug
Dan Knapp <dankna@gmail.com>
allow multiple users with the same uid using USER environment variable
Steve Kehlet <stevek@webreachinc.com>
scponly 4.7 - change information unknown mismanaged - check CVS diffs if needed
scponly v4.6 - jan 31 2006
added missing semicolon to helper.c
scponly v4.5 - jan 31 2006
fixes the configure.in script to not define HAVE_OPTRESET, not even to a value of 0
Ilya Evseev <ilya_evseev@mail.ru>
scponly v4.4 - jan 30 2006
fixes that hopefully improve the optarg compilation situation
Christophe GRENIER <grenier@cgsecurity.org>
Bryan ?\230stergaard <kloeri@gentoo.org>
UNISON $HOME environment fix
Martin Werthmoeller <mw@lw-systems.de>
fixes to setup_chroot.sh/in
Hideyuki KURASHINA <rushani@bl.mmtr.or.jp>
scponly v4.3 - 27 dec 2005
numerous small fixes to 4.2
scponly v4.2 - 20 dec 2005
improved argument processing
Pekka Pessi <ppessi@gmail.com> reported that scponly processed scp args
by literal comparison, which is insufficient to catch getopt style
arguments.
this also resulted in scp and winscp compat turned off by default.
added CHROOT_CHECKDIR directive
issue reported by Max Vozeler <max@decl.org> wherein non-scponly users
on some platforms (debian linux tested) could invoke the scponlyc binary
against a specially crafted home directory to achieve priveledge escalation.
fix for openbsd ldd in setup_chroot
G 0kita <goo13c@gmail.com>
sftp-logging compatibility patch
Kaleb Pederson <kpederson@mail.ewu.edu>
fix for autoconf AC_INIT macro
Paul Hyder <Paul.Hyder@noaa.gov>
patch for command line args to setup_chroot invocation
Anish Mistry <amistry@am-productions.biz>
patches to fix passwd support and add quota support
Richard Fuller <rpfuller@cs.york.ac.uk>
scponly v4.1 - 12 apr 2005
follow up fix for additional executable rsync argument "-6e" (see v4.0)
Jason Wies <jason@xc.net>
building jails document
Paul Hyder <Paul.Hyder@noaa.gov>
chdir/chroot patch
David Ramsden <david@hexstream.eu.org>
dangerous args ifdef macro for scp -S flag (fixes debian bug 289861)
Hideyuki KURASHINA <rushani@bl.mmtr.or.jp>
DESTDIR support for chroot creation
Markus Kolb <markus-122004@tower-net.de>
numerous fixes
Kaleb Pederson <kpederson@mail.ewu.edu>
Dimitri Papadopoulos <papadopo@shfj.cea.fr>
scponly v4.0 - 27 nov 2004
SERIOUS VULNERABILITY FIX: scp/sftp-server/unison/rsync all support the command line
specification of "ssh dropins" for alternate crypto tunnels (similar to the way ssh can
dropin to replace rsh). this allows arbitrary command execution on the destination host,
circumventing scponly's sole purpose. this is NOT a priv escalation bug and it is DOES
require authentication. all versions prior to 4.0 are vulnerable.
Jason Wies <jason@xc.net>
added passwd support
Andreas Beck <becka-Ynyda@acs.uni-duesseldorf.de>
added subversion support
Sven Hoexter <sven@telelev.net>
fixed AIX support in configure script
Sven Hoexter <sven@telelev.net>
compile time configuration of default chdir
Daniel Lorch <ml-daniel@lorch.cc>
scponly v3.12 - 22 mar 2004
UNISON bugfix
scponly v3.11 - 21 mar 2004,
added UNISON compatibility (http://www.cis.upenn.edu/~bcpierce/unison/):
Raimund Specht <raimund@spemaus.de>
bugfix to home dir default permissions:
James Valente <jvalente@ofoto.com>
configure option to disable paranoid filename checking, thus allowing all characters in input
added a new config.sub
fixed missing PROG_RM declaration:
Hideyuki KURASHINA <rushani@bl.mmtr.or.jp>
scponly v3.9 - 17 nov 2003,
makefile improvements:
Bjrn Eriksson <bjorn@bjornen.nu>
setup_chroot improvements:
Johan Kuuse <kuuse@redantigua.com>
Thomas Wana <thomas@wana.at>
Martin Werthmoeller <mw@werthmoeller.de>
Hideyuki KURASHINA <rushani@bl.mmtr.or.jp>
Ralf Durkee <rd@rd1.net>
WinSCP3 compat patch (http://o5.pl/scponly-stuff/):
Konrad Krzysztof Krasinski <konrad@o5.pl>
hand-written build scripts for debian and RH9:
Konrad Krzysztof Krasinski <konrad@o5.pl>
scponly v3.8 - 17 mar 2003,
added chgrp to acceptable binaries
scponly v3.7 - 17 mar 2003,
rerepaired freebsd 4.7 configure and setup_chroot problems
scponly v3.6 - 07 mar 2003,
fixed the rsync compatibility configure options
repaired freebsd 4.7 configure and setup_chroot problems
added cool /chrootdir//homedir home directory interpretation
- thanks to Stefan Sami-Soueiha <stefan.sami@gmx.de> for his patch
scponly v3.5 - 16 dec 2002,
v3.4 - 02 nov 2002,
v3.3 - 28 oct 2002:
stupid bugfixes from 3.2 in configure.in
thanks to Sven Hoexter <sven@telelev.net>
scponly v3.2
27 oct, 2002
realloc() fix
change exit values for hygeine and portability
TODO file added
numerous portability fixes to setup_chroot.sh.in
Solaris compatibility improvements
Irix compatibility improvements
added some chrooted Irix install notes in README.IRIX
some winscp2 fixes to reduce annoying popup errors
added a strsep clone for solaris
scponly v3.1
10 sep, 2002
additional linux compatibility checks for setup_chroot.sh.in
configure script changes to fix moronic problem of not
being able to find /bin
added rsync compile time option. this is a very untested
feature.
scponly v3.0
04 sep, 2002
Solaris compatibility patch
- by Rene Klootwijk <rene.klootwijk@rencon.nl>
gftp compatibility patch
- by Michael <ysothoth@wsia.csi.cuny.edu>
system() dropped
- wildcards are expanded with glob() and wordexp()
depending on availability of these
functions.
autoconf configuration
- original by Andrew Chadwick <andrewc@piffle.org>
- expanded by author
- Can now set install dirs for other layouts.
- Keep Ken McG's makefile changes as much as possible.
- /etc/shells hacking has gone away, 'cause you can't
do that to a Debian (or any other) install
tree in a meaningful way.
scponly v2.4
18 aug, 2002
vulnerability patch!
- Derek D. Martin <ddm@pizzashack.org> sent me an exploitable
vulnerability condition that can be used to run
arbitrary commands, thus circumventing scponly!
the exploit is pending but the fix for existing
installations appears below. new installations
scponly-2.4 are not vulnerable.
- this vulnerability is POST-authentication and results
in no priveledge elevation.
- the fix: each user with scponly as his or her shell must
have an immutable home directory and .ssh subdirectory.
file uploads directly to the home directory are not
permitted and in turn, an "incoming" directory or
some analog must be used. Also, it is prudent
to audit/remove all dotfiles that are already in a
user's home directory.
- the following commands will "patch" the vulnerability:
chown root.root ~scpuser ~scpuser/.ssh
mkdir ~scpuser/incoming
chown scpuser.scpuser ~scpuser/incoming
- the result:
drwxr-xr-x 2 root root 4096 Mar 28 20:50 ./
drwxr-xr-x 2 root root 4096 Mar 28 20:50 .ssh/
drwxr-xr-x 2 user user 4096 Mar 28 20:50 incoming/
- this is to prevent a user from using SSH based login params to
undermine the shell.
scponly v2.3
22 june, 2002
manpage addition
- Ken McGlothlen <mcglk@artlogix.com> sent in a manpage for
scponly.
- he also sent in a patch to the makefile that improves the
portability of the installation process
scponly v2.2
11 june, 2002
syslog implementation
- Andrew Chadwick sent in a patch for syslog implementation
- scponly now logs properly
scponly v2.1
5 june, 2002
chroot bugfix
- Volker Kindermann <volker@volker.de> contributed a bug report
regarding WinSCP and chroot usage. login sets the
interactive market on the binary name so it becomes
"-scponlyc". this was confusing the chroot check.
- fixed setup_chroot to include "groups" binary
scponly v2.0
2 july, 2002
lots of code added for compatibility with WinSCP 2.0
- this code actually contradicts the "no interactive commands"
mandate of scponly. scponly now DOES support interactive
commands limited to the commands scponly already allowed
remote execution of, plus "cd", "groups" and "echo".
- since this is new, it can be excluded at compile time
- i havent tested against WinSCP 1.0, as i expect it will go away
with the advent of WinSCP 2.0
- upon various failure conditions, WinSCP will probably freak out
when it receives the error messages from scponly. check
your "logging" feature in WinSCP if this starts happening
install script improved to not append shells to /etc/shells if they are already there
- watch for this if you CHANGE your shell path and re-install
scponly v1.4
may 20, 2002
minor bugfix
- upon failing to open a logfile, scponly would try to log to logfile.
scponly v1.3
feb 6 2002:
pretty significant code changes to accomplish the following:
- total overhaul of install scripts. They are now rather
BSD centric. this might cause pain in the linux and
solaris realms, which I would be happy to try to accomodate
for.
- added clean_request() function to remove some unwanted
leading path information from shell commands. This
was in hopes of resolving the openssh client's habit
of specifying the full pathname of the sftp-server.
- added debugging information that can be turned on at run
time instead of compile time. see INSTALL for notes
- chroot() functionality is now established at run time instead
of compile time as well. depending on the NAME of the
scponly binary (scponly/scponlyc), scponly will try to
chroot. this allows an admin to configure chroot functionality
on a per user basis, instead of per host installation.
- increased the list of acceptable commands for compatibility with
sftp clients that do stuff like chmod and chown
scponly v1.2
jan 10th 2002:
applied a patch submitted by dkl at tessellated dot net.
increases compatibility with wintendo style sftp/scp clients by also
allowing things like chmod, pwd, etc
scponly v1.1
feb 23rd - 8:36pm EST:
I've discovered a rather glaring problem with the original release.
It seems that while implementing chroot() functionality, I completely
broke the wildcard matching. This is because "/bin/sh" is required
to expand wildcards.
Though it is undesirable to have ANY command interpretter in the chroot
path, it should not be possible to invoke sh interactively or remotely.
This fix vastly increases the usability of scponly.
