[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to make Debian less fragile (long and philosophical)

Marek, what's going on here is subtle so I should explain. You aren't
seeing the echoes from your startup file because bash isn't going 
interactive, even though it has a TTY. This is a non-login shell, 
so .bash_profile does not run. It is a non-interactive shell, 
so .bashrc does not run. The bash man page would lead you to believe
that it would go interactive since you specified (in one case) 
that -t option giving it a TTY.

I reported this as a bug against bash but they responded by saying 
the next release will include a note that bash never goes interactive
if you specify the -c option (so it's a documentation bug).

What you really want to do to test this out is change your shell 
to echo, so you can see what happens when ssh calls.

It's my belief that ssh relies on your shell for everything; a good
reason was provided by Michael Stone: in case you have set a user with
a restrictive shell, ssh shouldn't allow them to circumvent that.

Justin


On Fri, Aug 20, 1999 at 02:43:50PM +0200, Marek Habersack wrote:
> * Steve Willer said:
> 
> > > > Nope. ssh invokes the command you request by calling your shell, 
> > > > with the '-c' argument, so if your shell is dynamically linked, sh 
> > > > will fail to exec it, and your command (sash) won't get run.
> > > No, ssh invokes either an interactive shell or the command specified on the
> > > command line.
> > 
> > Actually, this is kinda interesting. I just tried it out, and I couldn't
> > execute /bin/sash via ssh on my own account. I got two errors about libc
> > missing.
> Hmm... I just did it with ssh2 and the following command line:
> 
> ssh2 -t grendel@jester.vip.net.pl /bin/sash
> 
> No errors and no problems at all.
>  
> > My root account has the default .profile, I think, and I was able to
> > convince it to run sash. I had to use ssh's -t parameter to make it work.
> Yes, it is needed so that you can see the prompt - an interactive shell must
> have a controlling terminal.
> 
> > I got one libc error, but it continued. I can only assume ssh is executing
> > your startup files with bash but perhaps not running the command through
> > bash?
> No. ssh doesn't execute anything except what you specified on the command
> line. I put echos in all the startup files (sash reads only .aliasrc AFAIR
> and not any other config file) and none of them showed up. The only process
> running on the allocated terminal was sash. ssh forks and then execs
> directly what you typed on the command line.
> 
> > The difference between the two users, as far as I can tell, is that my
> > user's .bash_profile says:
> > 
> >    . ~/.bashrc
> sash, AFAIK, is unable to source files using . (dot)
> 
> > I guess this is what locked me out.
> > 
> > The conclusion, then, is that it is possible to get into a system that has
> > sash installed but isn't using sash as root's prompt...if you're very
> > careful about your startup script.
> No, I think the startup script doesn't matter...
> 
> 
> marek
Reply to: