Bug#552047: openssh-server: ForceCommand unable to pass parameters to internal-sftp (fixed upstream)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#552047: openssh-server: ForceCommand unable to pass parameters to internal-sftp (fixed upstream)
From: Andre Tomt <andre@tomt.net>
Date: Fri, 23 Oct 2009 01:16:39 +0200
Message-id: <[🔎] 20091022231639.19000.72984.reportbug@disasterix.ugh.no>
Reply-to: Andre Tomt <andre@tomt.net>, 552047@bugs.debian.org

Package: openssh-server
Version: 1:5.1p1-5
Severity: important
Tags: patch


When using ForceCommand internal-sftp and you're trying to pass extra parameters, SFTP will fail 
due to a bug in the special casing of internal-sftp in the ForceCommand config 
directive processing.

This is particularly problematic if you're setting up a secure SFTP chroot with SFTP operations 
logging and want to avoid using the external sftp-server and all the nasty chroot hacks it would 
need. One of the major features of internal-sftp is easy chroot management, but without logging 
its usefullness is very limited.

A fix for this is in 5.2p1, and the patch commited upstream is available here:
https://bugzilla.mindrot.org/attachment.cgi?id=1569

The upstream bug is here:
https://bugzilla.mindrot.org/show_bug.cgi?id=1527

The patch applies on top of the debian package, but I havn't got around to test it yet 
(compiling..)

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-1-vs (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.25                  Debian package management system
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny5         SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information:
  ssh/insecure_rshd:
  ssh/vulnerable_host_keys:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

Reply to:

Prev by Date: Bug#496017: Non-public channel 2, type 1.
Next by Date: Bug#73611: Yes I have dental and medical lists
Previous by thread: Bug#496017: Non-public channel 2, type 1.
Next by thread: Bug#73611: Yes I have dental and medical lists
Index(es):
- Date
- Thread