On Thu, Sep 07, 2006 at 09:34:34AM +0200, Tevfik Karagülle wrote: > > > >> Create a file named sftponly in bin directory: > > > > > > #!/bin/bash > > > if [ "$*" != "-c /bin/sftp-server" ]; then echo "SFTP only!" > > > exit 1 > > > fi > > > exec $@ > > > > Please understand, THIS WILL NOT WORK. > > Thanks for your comments. However, saying 'THIS WILL NOT WORK' > is not a correct statement, since I can easily see that IT WORKS, WITH > THE SECURITY IMPLICATIONS YOU MENTION.
Well, we're getting into more of a semantic argument here, but... You put this shell script forth as a solution to allow people to use sftp, but prevent them from getting shell access. There are at least 2 ways that I know of to circumvent the script you posted, probably more... Since it does not actually prevent shell access, it does not do what was intended, therefore it does not work. My statement was true and correct. > I am not defending this little tiny script :-) It all comes to where you > use it and how you use it. However, this has a huge advantage > in comparison to the others: It is simple and visible, you don't need > to introduce a new component into your system with a higher level > Of complexity. ...except it doesn't work, which is a huge disadvantage, and rather an important one I should think. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpr0fhhcCyEQ.pgp
Description: PGP signature
