Skip to content

Fix SCP support, but break jail #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
danielskowronski wants to merge 1 commit into
base: master
Choose a base branch
from
+15 −8
Open

Fix SCP support, but break jail #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions files/permit-scp.sh
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,21 @@
#!/bin/bash
# Permit scp
case $SSH_ORIGINAL_COMMAND in
'scp'*)
# Permit scp when run in internal source/dest/dir mode
# NOTE: adding path does not protect from rogue symlinks
"scp -f $HOME/"*)
$SSH_ORIGINAL_COMMAND
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Executing $SSH_ORIGINAL_COMMAND without proper sanitization or validation is a security risk. The command should be parsed and validated more thoroughly to prevent command injection attacks.

Copilot uses AI. Check for mistakes.
;;
"scp -t $HOME/"*)
$SSH_ORIGINAL_COMMAND
;;
"scp -d $HOME"*)
$SSH_ORIGINAL_COMMAND
Comment on lines 1 to +12
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path validation using $HOME/ prefix is insufficient for security. An attacker could use '../' sequences to escape the home directory restriction, and as noted in the comment, symlinks are not protected against.

Copilot uses AI. Check for mistakes.
Comment on lines 1 to +12
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path validation using $HOME/ prefix is insufficient for security. An attacker could use '../' sequences to escape the home directory restriction, and as noted in the comment, symlinks are not protected against.

Copilot uses AI. Check for mistakes.
;;
Comment on lines 1 to +13
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path validation using $HOME/ prefix is insufficient for security. An attacker could use '../' sequences to escape the home directory restriction, and as noted in the comment, symlinks are not protected against.

Copilot uses AI. Check for mistakes.
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in comment: 'by pats' should be 'by path'.

Suggested change
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
# Permit standard sftp - by path, as `internal-sftp` works only in sshd_config

Copilot uses AI. Check for mistakes.
"/usr/lib/openssh/sftp-server")
$SSH_ORIGINAL_COMMAND
Comment on lines 6 to +16
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Executing $SSH_ORIGINAL_COMMAND without proper sanitization or validation is a security risk. The command should be parsed and validated more thoroughly to prevent command injection attacks.

Suggested change
$SSH_ORIGINAL_COMMAND
;;
"scp -t $HOME/"*)
$SSH_ORIGINAL_COMMAND
;;
"scp -d $HOME"*)
$SSH_ORIGINAL_COMMAND
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
$SSH_ORIGINAL_COMMAND
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-f" ] && [[ "$3" == $HOME/* ]]; then
exec scp -f "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -t $HOME/"*)
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-t" ] && [[ "$3" == $HOME/* ]]; then
exec scp -t "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -d $HOME"*)
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-d" ] && [[ "$3" == $HOME* ]]; then
exec scp -d "$3"
else
echo "Access Denied"
exit 1
fi
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
exec /usr/lib/openssh/sftp-server

Copilot uses AI. Check for mistakes.
Comment on lines 6 to +16
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Executing $SSH_ORIGINAL_COMMAND without proper sanitization or validation is a security risk. The command should be parsed and validated more thoroughly to prevent command injection attacks.

Suggested change
$SSH_ORIGINAL_COMMAND
;;
"scp -t $HOME/"*)
$SSH_ORIGINAL_COMMAND
;;
"scp -d $HOME"*)
$SSH_ORIGINAL_COMMAND
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
$SSH_ORIGINAL_COMMAND
# Parse and validate arguments for 'scp -f'
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-f" ] && [[ "$3" == $HOME/* ]]; then
exec scp -f "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -t $HOME/"*)
# Parse and validate arguments for 'scp -t'
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-t" ] && [[ "$3" == $HOME/* ]]; then
exec scp -t "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -d $HOME"*)
# Parse and validate arguments for 'scp -d'
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-d" ] && [[ "$3" == $HOME* ]]; then
exec scp -d "$3"
else
echo "Access Denied"
exit 1
fi
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
# Only allow exact match for sftp-server
if [ "$SSH_ORIGINAL_COMMAND" = "/usr/lib/openssh/sftp-server" ]; then
exec /usr/lib/openssh/sftp-server
else
echo "Access Denied"
exit 1
fi

Copilot uses AI. Check for mistakes.
Comment on lines 6 to +16
Copy link

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Executing $SSH_ORIGINAL_COMMAND without proper sanitization or validation is a security risk. The command should be parsed and validated more thoroughly to prevent command injection attacks.

Suggested change
$SSH_ORIGINAL_COMMAND
;;
"scp -t $HOME/"*)
$SSH_ORIGINAL_COMMAND
;;
"scp -d $HOME"*)
$SSH_ORIGINAL_COMMAND
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
$SSH_ORIGINAL_COMMAND
# Parse and validate the command
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-f" ] && [[ "$3" == $HOME/* ]]; then
exec scp -f "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -t $HOME/"*)
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-t" ] && [[ "$3" == $HOME/* ]]; then
exec scp -t "$3"
else
echo "Access Denied"
exit 1
fi
;;
"scp -d $HOME"*)
set -- $SSH_ORIGINAL_COMMAND
if [ "$1" = "scp" ] && [ "$2" = "-d" ] && [[ "$3" == $HOME* ]]; then
exec scp -d "$3"
else
echo "Access Denied"
exit 1
fi
;;
# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
"/usr/lib/openssh/sftp-server")
exec /usr/lib/openssh/sftp-server

Copilot uses AI. Check for mistakes.
;;
# Drop anything else
*)
echo "Access Denied"
;;
Expand Down
7 changes: 1 addition & 6 deletions files/sshd_config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,7 @@ PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no

# Force sftp and chroot jail
Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h

# Permit SCP
Subsystem sftp /usr/lib/openssh/sftp-server
ForceCommand /usr/local/bin/permit-scp.sh

# Enable this for more logs
Expand Down