On Fri, Feb 08, 2019 at 09:42:32AM +0000, Nick Cleaton wrote: > On Fri, 8 Feb 2019 at 01:37, Derek Martin <c...@pizzashack.org> wrote: > > > > > [...], you need to know all of the possible ways to execute > > a program from system code on all of your target platforms. And you > > probably don't. And there are probably platform-dependent ways that > > it could be done using inline assembly that would be hard or > > impossible for you to block even if you did... > > > > If the attacker is able to execute arbitrary system code, then they're > already past the wall that this thing is intended to strengthen.
Sure, but what I'm trying to point out is that there may be a variety of ways that could happen that you're not thinking of, and that some folks may imagine uses for this that you haven't, but which won't actually be workable, but that won't stop them from blaming you (and expecting you to do something about it). How do you imagine this filter program will be executed? It clearly can't be the user's shell, since a) it requires arguments to do anything useful, yet there is no way to pass them to the the shell when a user logs in, and b) the necessarily needs to be able to execute other programs (or else it must implement everything the user should be able to do internally, in some fashion). So that means typically, the user's shell must be some other program (perhaps some fork of rssh, for example) which has been taught to use the filter. But there's no guarantee that program will use it correctly, or that some flaw in that program or changes to OpenSSH or some system feature won't allow the complete bypass of whatever that program is (as we've seen repeatedly with rssh), or that the user can find a way to insert some other preload library before yours comes into play, preventing it from coming into play (e.g. the PKCS11Provider we've been talking about in regard to rssh). Unless you can predict all the ways that can happen, now and forever, and can ensure that they will always be under your control--which I'm fairly sure you can't--you have created for yourself a very hard task. That is where rssh finds itself. I'm not trying to discourage you, or to suggest it's not worth trying, I'm just trying to give you some perspective on what you may be signing up for by authoring such software. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpClHMUKfhx1.pgp
Description: PGP signature
_______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
