RE: Subsystem sftp invoked even though forced command created

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

It appears the forced command either does not run or runs to completion and exits immediately, as there is no process named "receive.ksh" in the process tree.

The sftp-server process is an immediate child of the privilege-separation sshd process:
root        1157  0.0  0.1  94556  5804 ?        Ss   Jun07   0:00 /usr/sbin/sshd -D
root     3933778  0.0  0.2 155624  9732 ?        Ss   10:34   0:00  \_ sshd: mm1072 [priv]
mm1072   3933794  0.0  0.1 155624  5564 ?        S    10:34   0:00  |   \_ sshd: mm1072@pts/0
mm1072   3933795  0.0  0.1  25428  5252 pts/0    Ss   10:34   0:00  |       \_ -bash
mm1072   3934980  0.0  0.1  59200  4636 pts/0    R+   10:57   0:00  |           \_ ps auwwwx --forest
root     3934958  0.1  0.2 155628 10568 ?        Ss   10:56   0:00  \_ sshd: m61586 [priv]
m61586   3934972  0.0  0.1 155628  5576 ?        S    10:56   0:00      \_ sshd: m61586@notty
m61586   3934973  0.0  0.1  47280  5228 ?        Ss   10:56   0:00          \_ /usr/libexec/openssh/sftp-server

Mike McManus
Principal – Technology Security
GTO Security Governance Team - Unix
P: He/Him/His

AT&T Services, Inc.
20205 North Creek Pkwy, Bothell, WA 98011
michael.mcmanus@xxxxxxx  


-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com@xxxxxxxxxxx> On Behalf Of Jochen Bern
Sent: Wednesday, July 5, 2023 1:52 AM
To: openssh-unix-dev@xxxxxxxxxxx
Subject: Re: Subsystem sftp invoked even though forced command created

On 05.07.23 02:50, Damien Miller wrote:
> Some possibilities:
> 1. the receive.ksh script is faulty in some way that causes it to invoke
>     sftp-server

How would the script even *know* that the client requested the SFTP 
subsystem? Is a subsystem's executable/path, supposedly internally 
overwritten with the forced command at that point, exposed through 
$SSH_ORIGINAL_COMMAND ?

(As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest" 
on the server while WinSCP has a "hacked" session open. If the 
sftp-server process turns out to be a child of the script, bingo. If 
not, the script could still be the culprit, but then we'd know that it 
must "exec" the sftp-server or somesuch, rather than calling it 
"normally" as a subprocess.)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux