1 .\" Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
3 .\" The software can be redistributed under the terms of the modified Berkely
4 .\" software license, as follows:
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 .\" EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 .\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
22 .\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
23 .\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25 .\" POSSIBILITY OF SUCH DAMAGE.
27 .\" Japanese Version Copyright (C) 2003
28 .\" System Design and Research Institute Co., Ltd. All rights reserved.
30 .\" Translated on Sun Mar 2 23:08:54 JST 2003
31 .\" by System Design and Research Institute Co., Ltd. <info@sdri.co.jp>
32 .\" Updated on Fri Feb 25 23:25:07 EST 2005
33 .\" by Tatsuo Sekine <tsekine@sdri.co.jp>
35 .\"WORD: parser ²òÀÏ´ï
37 .TH RSSH 1 "7 Jul 2003" "man pages" "Derek D. Martin"
40 .\"O rssh \- restricted secure shell allowing only scp and/or sftp
41 rssh \- scp ¤È sftp ¤ÎξÊý¤À¤±¡¢¤Þ¤¿¤Ï¤½¤Î°ìÊý¤Î¤ß¤òµö²Ä¤¹¤ë
47 .RI [ " options... " ] " " [ " ... " ]
52 .\"O is a restricted shell for providing limited access to a host via \fIssh\fP(1),
53 .\"O allowing a user whose shell is configured to
55 .\"O to use one or more of the command(s) \fIscp\fP(1) or \fIsftp\fP(1)
56 .\"O \fIcvs\fP(1), \fIrdist\fP(1), and \fIrsync\fP(1), and
58 .\"O those commands. It is intended primarily to work with OpenSSH (see
59 .\"O http://www.openssh.com), but may work with other implementations.
64 ¤ò»È¤Ã¤¿¥¢¥¯¥»¥¹¤ÎÀ©¸Â¤òÄ󶡤¹¤ëÀ©¸ÂÉÕ¤¥·¥§¥ë¤Ç¡¢¥·¥§¥ë¤¬
66 ¤ËÀßÄꤵ¤ì¤¿¥æ¡¼¥¶¤Ë¤Ï¡¢
72 ¤Î¤¦¤Á¤Î°ì¤Ä°Ê¾å¤Î¥³¥Þ¥ó¥É
75 ¼ç¤Ë¡¢OpenSSH (http://www.openssh.com ¤ò»²¾È)
76 ¤È¶¦¤ËÆ°ºî¤¹¤ë¤è¤¦¤Ë°Õ¿Þ¤µ¤ì¤Æ¤Ï¤¤¤ë¤¬¡¢
77 ¾¤Î¼ÂÁõ¤È¤â¶¦¤ËÆ°ºî¤¹¤ë¤À¤í¤¦¡£
79 .\"O The system administrator should install the shell on the restricted system.
80 .\"O Then the password file entry of any user for whom it is desireable to provide
81 .\"O restricted access should be edited, such that their shell is \fBrssh\fP. For
83 µ¡Ì©¤ò¤â¤Ä¥·¥¹¥Æ¥à¤Î´ÉÍý¼Ô¤Ï¡¢¤³¤Î¥·¥§¥ë¤ò¥¤¥ó¥¹¥È¡¼¥ë¤¹¤Ù¤¤Ç¤¢¤ë¡£
84 ¥¢¥¯¥»¥¹¤¬À©¸Â¤µ¤ì¤ë¤Ù¤¤¹¤Ù¤Æ¤Î¥æ¡¼¥¶¤ËÂФ·¡¢
85 ¤½¤Î¥Ñ¥¹¥ï¡¼¥É¥¨¥ó¥È¥ê¤òÊÔ½¸¤·¡¢¥·¥§¥ë¤¬
88 Î㤨¤Ð°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
91 luser:x:666:666::/home/luser:/usr/bin/rssh
94 .\"O If invoked with the
98 .\"O will report its version, and exit. All other arguments to
100 .\"O are those specified by the remote \fIssh\fP(1) client, and aren't of much
101 .\"O concern to the average user. The arguments provided must be what a shell on
102 .\"O the remote end would receive in order to pass control to \fIscp\fP(1) or
103 .\"O \fIsftp\fP(1). If
105 .\"O receives arguments which do not conform, it will emit an error message and exit.
108 ¥ª¥×¥·¥ç¥óÉÕ¤¤Çµ¯Æ°¤µ¤ì¤¿¤é¡¢
110 ¤Ï¥Ð¡¼¥¸¥ç¥óÈÖ¹æ¤òɽ¼¨¤·¤Æ½ªÎ»¤¹¤ë¡£
112 ¤Ø¤Î¤½¤Î¾¤Î°ú¿ô¤Ï¥ê¥â¡¼¥È¤Î
114 ¥¯¥é¥¤¥¢¥ó¥È¤Ë¤è¤Ã¤Æ»ØÄꤵ¤ì¤¿¤â¤Î¤¬ÅϤµ¤ì¤ë¡£
115 °ìÈ̤Υ桼¥¶¤Ï¤³¤Î¤³¤È¤ò¤Û¤È¤ó¤É°Õ¼±¤¹¤ëɬÍפϤʤ¤¡£
121 rssh ¤ËÅϤµ¤ì¤ë°ú¿ô¤Ï¡¢¥ê¥â¡¼¥È¦¤Î¥·¥§¥ë¤¬¼õ¤±¼è¤Ã¤¿¤â¤Î¤ò(¤½¤Î¤Þ¤Þ)
122 »È¤ï¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
125 ¤¬Å¬¹ç¤·¤Ê¤¤°ú¿ô¤ò¼õ¤±¼è¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½Ð¤·¤Æ½ªÎ»¤¹¤ë¡£
126 .\"O If the program the user is trying to run is not allowed, or contains syntax
127 .\"O which will try to execute a shell command (such as a command substitution), it
128 .\"O will also emit an error and exit.
129 ¥æ¡¼¥¶¤¬¼Â¹Ô¤·¤è¤¦¤È¤·¤¿¥×¥í¥°¥é¥à¤¬µö²Ä¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï
130 ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½ÐÎϤ·¤Æ½ªÎ»¤¹¤ë¡£
131 ¤Þ¤¿¡¢(¥³¥Þ¥ó¥ÉÃÖ´¹¤Î¤è¤¦¤Ê)¥·¥§¥ë¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤è¤¦¤È¤·¤¿¾ì¹ç¤â
132 ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½ÐÎϤ·¤Æ½ªÎ»¤¹¤ë¡£
135 .\"O has a configuration file, rssh.conf(5), which allows some of the behavior of
137 .\"O to be customized. See that man page for details.
139 ¤Ë¤ÏÀßÄê¥Õ¥¡¥¤¥ë rssh.conf(5) ¤¬¤¢¤ê¡¢
141 ¤ÎÆ°¤¤Î¤¤¤¯¤Ä¤«¤òÀßÄê²Äǽ¤Ç¤¢¤ë¡£
142 ¾ÜºÙ¤Ï man ¥Ú¡¼¥¸¤ò»²¾È¤Î¤³¤È¡£
144 .\"O .SH SECURITY NOTES
145 .SH ¥»¥¥å¥ê¥Æ¥£¾å¤ÎÃí°Õ
147 .\"O .SS Command Line Parser
148 .SS ¥³¥Þ¥ó¥É¥é¥¤¥ó²òÀÏ´ï
152 .\"O version 2.2.3, the program must parse out the complete command line to avoid
153 .\"O command line options which cause the execution of arbitrary programs (and
154 .\"O hence bypass the security of \fBrssh\fP). In order to keep the program source
155 .\"O code sane, the parser is a little over-zealous about matching command line
156 .\"O options. In practice, this probably will not be an issue, but in theory it is
159 ¥Ð¡¼¥¸¥ç¥ó 2.2.3 ¤Î»þÅÀ¤Ç¤Ï¡¢Ç¤°Õ¤Î¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤ò°ú¤µ¯¤³¤¹
160 (¤½¤Î·ë²Ì¡¢\fBrssh\fP ¤Î¥»¥¥å¥ê¥Æ¥£¤ò¤«¤¤¤¯¤°¤ë)
161 ¤è¤¦¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¥³¥Þ¥ó¥É¥é¥¤¥óÁ´ÂΤò
162 ²òÀϤ·¤Ê¤¯¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
163 ¥½¡¼¥¹¥³¡¼¥É¤ò·òÁ´¤Ë¤·¤Æ¤ª¤¯¤¿¤á¡¢¤ä¤äÇ®¿´¤¹¤®¤ë¤°¤é¤¤¤Ë¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò¥Þ¥Ã¥Á¥ó¥°¤¹¤ë¡£
164 ¼ÂºÝ¤Ë¤Ï¤³¤ì¤ÏÌäÂê¤Ë¤Ï¤Ê¤é¤Ê¤¤¤¬¡¢ÍýÏÀ¾å¤Ï²Äǽ¤À¤«¤é¤Ç¤¢¤ë¡£
166 .\"O If you run into a problem where
168 .\"O refuses to run, claiming to be rejecting insecure command line options which
169 .\"O were not specified, try changing your command line such that all \fIshort\fP
170 .\"O options are specified as single-letter option flags (e.g. -e -p instead of
171 .\"O -ep) and make sure you separate arguments from their respective options by a
172 .\"O space (e.g. -p 123 instead of -p123). In virtually all cases, this should
173 .\"O solve the problem. Admittedly, an exhaustive search was not performed, but no
174 .\"O problematical cases were found which were likely to be common.
175 ËÜÅö¤Ï¤½¤¦¤Ç¤Ï¤Ê¤¤¤Ë¤â¤«¤«¤ï¤é¤º¡¢
176 ¡Ö°ÂÁ´¤Ç¤Ê¤¤¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤òµñÈݤ·¤¿¡×¤È¤¤¤¦Íýͳ¤Ç
178 ¤Î¼Â¹Ô¤òµñÈݤµ¤ì¤ë¤È¤¤¤¦ÌäÂê¤ËÆͤÅö¤¿¤Ã¤¿¤é¡¢¥³¥Þ¥ó¥É¥é¥¤¥ó¤ò¼¡¤Î¤è¤¦¤Ë
180 ¤¹¤Ù¤Æ¤Î\fIû¤¤\fR¥ª¥×¥·¥ç¥ó¤ò1ʸ»ú¤Î¥ª¥×¥·¥ç¥ó¥Õ¥é¥°¤Ç»ØÄꤹ¤ë
181 (Î㤨¤Ð¡¢\-ep ¤ÎÂå¤ï¤ê¤Ë \-e \-p)¡¢
182 °ú¿ô¤È¤½¤ì¤¾¤ì¤Î¥ª¥×¥·¥ç¥ó¤ò¥¹¥Ú¡¼¥¹¤Ç¶èÀÚ¤ë
183 (Î㤨¤Ð¡¢\-p123 ¤ÎÂå¤ï¤ê¤Ë \-p 123)¡£
184 ¤Û¤È¤ó¤ÉÁ´¤Æ¤Î¾ì¹ç¤Ç¡¢¤³¤ì¤ÇÌäÂê¤Ï²ò·è¤¹¤ë¡£
185 ¤ªÊ¬¤«¤ê¤Î¤È¤ª¤ê´°Á´¤Ê¸¡º÷¤Ï¤·¤Æ¤¤¤Ê¤¤¤¬¡¢
186 °ìÈÌŪ¤ËͤêÆÀ¤ë¤è¤¦¤ÊÌäÂê¤Ï¸«¤Ä¤«¤Ã¤Æ¤¤¤Ê¤¤¡£
188 .\"O The alternative would have been to include a complete command-line parser for
189 .\"O rcp, rdist, and rsync; this was way out of the scope of this project. In
190 .\"O practice, the existing parser should suffice. If, however, you find cases
191 .\"O where it does not, please post details to the rssh mailing list. Details
192 .\"O about how to post to the mailing list can be found at the rssh homepage.
193 Ê̤βò·èºö¤Ï¡¢rcp, rdist, rsync ¤ËÂФ¹¤ë´°Á´¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó²òÀÏ´ï¤ò
194 ¼ÂÁõ¤·¤Æ¤ª¤¯¤³¤È¤¬¤À¤¬¡¢¤½¤ì¤Ï¤³¤Î¥×¥í¥¸¥§¥¯¥È¤ÎÌÜŪ¤Ç¤Ê¤¤¡£
195 ¼ÂÍѾå¤Ï¡¢´û¤Ë¤¢¤ë²òÀÏ´ï¤Ç½½Ê¬¤Ç¤¢¤ë¡×
196 ¤·¤«¤·¡¢¤â¤·¤½¤¦¤Ç¤Ê¤¤¾ì¹ç¤ò¸«¤Ä¤±¤¿¤Î¤Ê¤é¡¢¾ÜºÙ¤ò
197 rssh ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤ËÅê¹Æ¤·¤ÆÍߤ·¤¤¡£
198 rssh ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤Ø¤ÎÅê¹Æ¤Ë´Ø¤¹¤ë¾ÜºÙ¤Ï
199 rssh ¥Û¡¼¥à¥Ú¡¼¥¸¤«¤éÆÀ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
200 .\"O .SS Safeguards Against Bypassing rssh
201 .SS rssh ¤ò¤«¤¤¤¯¤°¤ë¤³¤È¤ËÂФ¹¤ë°ÂÁ´ºö
204 .\"O is designed to interact with several other programs. Even if rssh is
205 .\"O completely bug-free, changes in those other programs could possibly result in methods
206 .\"O to circumvent the protection that
208 .\"O is intended to provide. \fBIt is important for you, the system administrator,
209 .\"O to stay current on the services you make available with rssh, to be sure that
210 .\"O these commands do\fP \fInot\fP \fBprovide mechanisms to allow the user to run
211 .\"O arbitrary commands.\fP Also, while the goal of every release is to be bug
212 .\"O free, no one is perfect... There may be undiscovered bugs in
214 .\"O which might allow a user to circumvent it.
216 ¤Ï¾¤Î¤¤¤¯¤Ä¤«¤Î¥×¥í¥°¥é¥à¤ÈÁê¸ß¤ËºîÍѤ¹¤ë¤è¤¦¤ËÀ߷פµ¤ì¤Æ¤¤¤ë¡£
217 ¤¿¤È¤¨ rssh ¤Ë´°Á´¤Ë¥Ð¥°¤¬¤Ê¤¯¤Æ¤â¡¢Â¾¤Î¥×¥í¥°¥é¥à¤ÎÊѹ¹¤¬
219 ¤¬Ä󶡤·¤Æ¤¤¤ëÊݸǽ¤ò̵»ë¤¹¤ë·ë²Ì¤È¤Ê¤êÆÀ¤ë¡£
220 \fB¥·¥¹¥Æ¥à´ÉÍý¼Ô¡¢¤¹¤Ê¤ï¤Á¤¢¤Ê¤¿¤Ë¤È¤Ã¤Æ½ÅÍפʤ³¤È¤Ï¡¢
221 rssh ¤È¶¦¤Ë»È¤¦¤è¤¦¤Ë¤·¤¿¥µ¡¼¥Ó¥¹¤ò¸½ºß¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¡¢
222 ¤½¤ì¤é¤Î¥³¥Þ¥ó¥É¤¬¥æ¡¼¥¶¡¼¤ËǤ°Õ¤Î¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤òµö²Ä¤¹¤ë¤è¤¦¤Ê
223 »ÅÁȤߤòÄ󶡤·¤Æ\fI¤¤¤Ê¤¤\fB¤³¤È¤ò³Î¤«¤Ë¤·¤Æ¤ª¤¯¤³¤È¤Ç¤Ç¤¢¤ë¡£\fP
224 ¤Þ¤¿¡¢¤¹¤Ù¤Æ¤Î¥ê¥ê¡¼¥¹¤ÎÌÜɸ¤Ï¥Ð¥°¤¬¤Ê¤¤¤³¤È¤Ç¤¢¤ë°ìÊý¡¢
225 ´°àú¤Ê¤â¤Î¤Ê¤É̵¤¤¡Ä¡Ä
227 ¤Ë¤Ïȯ¸«¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ð¥°¤¬¤¢¤ë¤«¤â¤·¤ì¤º¡¢¤½¤ì¤Ï¥æ¡¼¥¶¡¼¤¬
228 rssh ¤ò̵»ë¤¹¤ë¤³¤È¤òµö¤·¤Æ¤·¤Þ¤¦¤«¤â¤·¤ì¤Ê¤¤¡£
230 .\"O You can protect your system from those who would take advantage of such
231 .\"O weaknesses. There are three basic steps:
232 ¤½¤Î¤è¤¦¤ÊÀȼåÀ¤«¤é¡¢¥·¥¹¥Æ¥à¤ò¼é¤ë¤³¤È¤¬¤Ç¤¤ë¡£
233 3¤Ä¤Î´ðËÜŪ¤ÊÊýË¡¤¬¤¢¤ë¡£
236 .\"O 1. place your users in a chroot jail
237 .\"O 2. mount their home filesystem with the noexec option
238 .\"O 3. use standard file permissions appropriately
245 ¥æ¡¼¥¶¡¼¤ò chroot jail ¤Ë²¡¤·¹þ¤á¤ë
248 ¥æ¡¼¥¶¡¼¤Î¥Û¡¼¥à¤Î¤¢¤ë¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤ò
249 noexec ¥ª¥×¥·¥ç¥óÉÕ¤¤Ç¥Þ¥¦¥ó¥È¤¹¤ë
252 °ìÈÌŪ¤Ê¥Õ¥¡¥¤¥ë¥Ñ¡¼¥ß¥Ã¥·¥ç¥ó¤òŬÀÚ¤ËÍѤ¤¤ë
257 .\"O gives the system administrator the ability to place the users in a chroot
258 .\"O jail. See details in the man page for
262 .\"O which is distributed with the source code. If you want to ensure users can
263 .\"O not run arbitrary programs, use a chroot jail, and be sure not to put any
264 .\"O programs other than what are absolutely necessary to provide the service you
265 .\"O are trying to provide. This prevents them from running standard system
268 ¤Ï¡¢¥æ¡¼¥¶¡¼¤ò chroot jail ¤ËÆþ¤ì¤ëǽÎϤò¥·¥¹¥Æ¥à´ÉÍý¼Ô¤ËÍ¿¤¨¤ë¡£
271 ¤Î man ¥Ú¡¼¥¸¤È¡¢¥½¡¼¥¹¥³¡¼¥É¤È¶¦¤ËÇÛÉÛ¤µ¤ì¤Æ¤¤¤ë
273 ¥Õ¥¡¥¤¥ë¤ò»²¾È¤Î¤³¤È¡£
274 ¥æ¡¼¥¶¡¼¤¬Ç¤°Õ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤Ê¤¤¤³¤È¤ò³Î¤«¤Ê¤â¤Î¤Ë¤·¤¿¤¤¤Ê¤é¡¢
275 chroot jail ¤ò»ÈÍѤ·¡¢Ä󶡤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥µ¡¼¥Ó¥¹¤ËɬÍ×¤Ê¥×¥í¥°¥é¥à°Ê³°¤ò
276 ¤½¤³¤ËÃÖ¤«¤Ê¤¤¤è¤¦¤Ëµ¤¤ò¤Ä¤±¤ë¤³¤È¡£
277 ¤½¤¦¤¹¤ì¤Ð¡¢É¸½àŪ¤Ê¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤òËɤ°¤³¤È¤¬¤Ç¤¤ë¡£
279 .\"O Then, make sure the user's files are on a seperate filesystem from your
280 .\"O system's executables. Make sure you mount this filesystem using the
282 .\"O option, if your operating system provides one. This prevents the users from
283 .\"O being able to execute programs which they have uploaded to the target machine
284 .\"O (e.g. using scp) which might otherwise be executable.
285 ¤½¤·¤Æ¡¢¥·¥¹¥Æ¥à¤Î¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬¤¢¤ë¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤È¡¢
286 ¥æ¡¼¥¶¡¼¤Î¥Õ¥¡¥¤¥ë¤òʬ¤±¤Æ¤ª¤¡¢
287 (¤â¤·¥ª¥Ú¥ì¡¼¥Æ¥£¥ó¥°¥·¥¹¥Æ¥à¤Ë¤½¤Îµ¡Ç½¤¬¤¢¤ì¤Ð)
288 ¥æ¡¼¥¶¡¼¤Î¥Õ¥¡¥¤¥ë¤Î¤¢¤ë
291 ¥ª¥×¥·¥ç¥óÉÕ¤¤Ç¥Þ¥¦¥ó¥È¤¹¤ë¡£
292 ¤³¤¦¤¹¤ì¤Ð¡¢ÌÜŪ¤Î¥Þ¥·¥ó¤Ë(Î㤨¤Ð scp ¤ò»È¤Ã¤Æ)¥¢¥Ã¥×¥í¡¼¥É¤µ¤ì¤¿
293 ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¤Î¤òËɤ°¤³¤È¤¬¤Ç¤¤ë¡£
294 .\"tsekine ¡Öwhich might otherwise be executable¡×¤ÏÌõ¤·¤Þ¤»¤ó¤Ç¤·¤¿
296 .\"O Lastly, use standard Unix/POSIX file permissions to ensure they
297 .\"O can not access files they should not be able to within the chroot jail.
298 ºÇ¸å¤Ë¡¢chroot jail ¤ÎÃæ¤Ç¥æ¡¼¥¶¡¼¤¬¥¢¥¯¥»¥¹¤Ç¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¤â¤Î¤Ë
299 ¤Ä¤¤¤Æ¤Ï¡¢É¸½àŪ¤Ê Unix/POSIX ¥Õ¥¡¥¤¥ë¥Ñ¡¼¥ß¥Ã¥·¥ç¥ó¤ò»ÈÍѤ¹¤ë¤³¤È¡£
300 .\"O .SS "OpenSSH Versions and Bypassing rssh"
301 .SS OpenSSH ¤Î¥Ð¡¼¥¸¥ç¥ó¤È rssh ¤Î̵»ë
302 .\"O Prior to OpenSSH 3.5, \fIsshd\fP(8) will generally attempt to parse files in
303 .\"O the user's home directory, and may also try to run a start-up script from the
307 OpenSSH 3.5 ¤è¤êÁ°¤Ç¤Ï¡¢°ìÈÌŪ¤Ë¤Ï
309 ¤Ï¥æ¡¼¥¶¤Î¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ë¥Õ¥¡¥¤¥ë¤ò²òÀϤ·¤è¤¦¤È¤·¡¢
312 ¥Ç¥£¥ì¥¯¥È¥ê¤«¤é¥¹¥¿¡¼¥È¥¢¥Ã¥×¥¹¥¯¥ê¥×¥È¤ò¼Â¹Ô¤·¤è¤¦¤È¤¹¤ë¡£
314 .\"O does not make use of the user's environment in any way. The relevant command
315 .\"O is executed by calling \fIexecv\fP(3) with the full path to the command, as
316 .\"O specified at compile time. It does not depend upon the user's PATH variable,
317 .\"O or on any other environment variable.
319 ¤Ï·è¤·¤Æ¥æ¡¼¥¶¡¼¤Î´Ä¶(ÊÑ¿ô)¤ò»ÈÍѤ·¤è¤¦¤È¤Ï¤·¤Ê¤¤¡£
320 ´ØÏ¢¤¹¤ë¥³¥Þ¥ó¥É(ÌõÃí: sftp-server¤Ê¤É)¤Ï¡¢
321 ¥³¥ó¥Ñ¥¤¥ë»þ¤Ë»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É¤Ø¤Î¥Õ¥ë¥Ñ¥¹¤ò»ØÄꤷ¤Æ
322 execv(3) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤Ç¼Â¹Ô¤µ¤ì¤ë¡£
323 ¤³¤ì¤Ï¥æ¡¼¥¶¤Î PATH ÊÑ¿ô¤Ë¤Ï°Í¸¤·¤Ê¤¤¤·¡¢Â¾¤Î´Ä¶ÊÑ¿ô¤Ë¤â°Í¸¤·¤Ê¤¤¡£
325 .\"O There are, however, several problems that can arise. This is due entirely to
326 .\"O the way the OpenSSH Project's sshd works, and is in no way the fault of
327 .\"O \fBrssh\fP. For example, one problem which might exist is that, according to
328 .\"O the \fIsshd\fP(8) man page from at least some releases of OpenSSH, the
329 .\"O commands listed in the
330 .\"O .I $HOME/.ssh/rc
331 .\"O file are executed with
333 .\"O instead of the user's defined shell. This appears not to be the case on the
334 .\"O systems the author had available to test on; commands were executed using the
335 .\"O user's configured shell (\fBrssh\fP), which did not allow the execution.
336 ¤·¤«¤·¤Ê¤¬¤é¡¢µ¯¤³¤ê¤¦¤ë¤¤¤¯¤Ä¤«¤ÎÌäÂ꤬¸ºß¤¹¤ë¡£
337 ¤³¤ì¤Ï´°Á´¤Ë OpenSSH ¥×¥í¥¸¥§¥¯¥È¤Î sshd ¤ÎÆ°ºî¤Î»ÅÊý¤Ë¸¶°ø¤¬¤¢¤ê¡¢
340 ¤Î·ç´Ù¤Ç¤Ï¤Ê¤¤¡£¤¿¤È¤¨¤Ð¡¢Â¸ºß¤¹¤ë¤Ç¤¢¤í¤¦°ì¤Ä¤ÎÌäÂê¤È¤·¤Æ¤Ï¡¢
341 OpenSSH ¤Î¾¯¤Ê¤¯¤È¤â¤¤¤¯¤Ä¤«¤Î¥ê¥ê¡¼¥¹¤Î
343 ¤Î man ¥Ú¡¼¥¸¤Ë¤è¤ì¤Ð¡¢
345 ¥Õ¥¡¥¤¥ë¤Ë½ñ¤«¤ì¤Æ¤¤¤ë¥³¥Þ¥ó¥É¤Ï¥æ¡¼¥¶¤Î¥Ç¥Õ¥©¥ë¥È¥·¥§¥ë¤ÎÂå¤ï¤ê¤Ë
348 Ãø¼Ô¤¬¥Æ¥¹¥È¤Ë»È¤¨¤ë¥·¥¹¥Æ¥à¤Ç¤Ï¤³¤ÎÌäÂê¤ÏȯÀ¸¤·¤Ê¤¤¡£
349 ¤¹¤Ê¤ï¤Á¡¢¥³¥Þ¥ó¥É¤Ï¥æ¡¼¥¶¤ËÀßÄꤵ¤ì¤¿¥·¥§¥ë
351 ¤Ë¤è¤Ã¤Æ¼Â¹Ô¤µ¤ì¡¢¤½¤ì¤Ï¼Â¹Ô¤òµö²Ä¤·¤Ê¤¤¡£
352 .\"O However if it is true on your system, then a malicious user may be able to
355 .\"O by uploading a file to
356 .\"O .I $HOME/.ssh/rc
357 .\"O which will be executed by
359 .\"O on that system. If any releases (of OpenSSH) are, in fact, vulnerable to this
360 .\"O problem, then it is very likely that they are only old, outdated versions. So
361 .\"O long as you are running a recent version of OpenSSH, this should not be a
362 .\"O problem as far as I can tell.
363 ¤·¤«¤·¡¢¤â¤·¤³¤ì¤¬¤¢¤Ê¤¿¤Î¥·¥¹¥Æ¥à¤Ç͸ú¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤Ã¤Æ¤¤¤ì¤Ð¡¢
368 ¥Õ¥¡¥¤¥ë¤ò¥¢¥Ã¥×¥í¡¼¥É¤·¤Æ¡¢
370 ¤ò̵»ë¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¤À¤í¤¦¡£
372 ¼ÂºÝ¤Î¤È¤³¤í¡¢¤â¤·¤³¤ÎÀȼåÀÌäÂ꤬¸ºß¤¹¤ë(OpenSSH ¤Î)¥ê¥ê¡¼¥¹¤¬
373 ¤¢¤ë¤È¤¹¤ì¤Ð¡¢¤½¤ì¤Ï¸Å¤¯¡¢µì¼°¤Î¥Ð¡¼¥¸¥ç¥ó¤Ç¤¢¤ë¡£
374 ºÇ¶á¤Î¥Ð¡¼¥¸¥ç¥ó¤ÎOpenSSH¤òÆ°¤«¤·¤Æ¤¤¤ë¸Â¤ê¤Ï¡¢
375 »ä¤¬¸À¤¨¤ëÈϰϤǤÏÌäÂê¤Ê¤¤¤Ï¤º¤À¡£
379 .\"O vulnerable to this attack, there is a workaround for this problem, though it
380 .\"O is pretty restrictive.
381 ¤â¤·»È¤Ã¤Æ¤¤¤ë sshd ¤¬¤³¤Î¹¶·â¤ËÂФ·¤ÆÀȼå¤Ç
383 ¤Ê¤é¤Ð¡¢¤«¤Ê¤êÀ©¸Â¤¬¤«¤«¤ë¤â¤Î¤Î¡¢¤³¤ÎÌäÂê¤ËÂФ¹¤ë²óÈòÊýË¡¤¬¤¢¤ë¡£
384 .\"O .B "The user's home directory absolutely must *not* be writable by the user."
385 .B "¥æ¡¼¥¶¤Î¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤ÏÀäÂФˤ½¤Î¥æ¡¼¥¶¤¬½ñ¤¹þ¤á¤Æ¤Ï*¤¤¤±¤Ê¤¤*¡£"
386 .\"O If it is, the user can use sftp to remove the directory or rename it, and then
387 .\"O create a new one, and fill it up with whatever environment files they like. For
388 .\"O providing file uploads, this means a user-writable directory must be created for
389 .\"O them, and they must be made aware of their inability to write into their home
390 .\"O directory other than in this location.
391 ¤â¤·½ñ¤¹þ¤á¤Æ¤·¤Þ¤¨¤Ð¡¢¥æ¡¼¥¶¤Ï sftp ¤ò»È¤Ã¤Æ(.ssh)¥Ç¥£¥ì¥¯¥È¥ê¤Î
392 ̾Á°¤òÊѤ¨¤ë¤«¾Ã¤¹¤«¤·¤Æ¡¢¤¢¤¿¤é¤·¤¤Æ±Ì¾¤Î¥Ç¥£¥ì¥¯¥È¥ê¤òºî¤ê¡¢¹¥¤¤Ê
393 ´Ä¶¥Õ¥¡¥¤¥ë(ÌõÃí: ¾åµ $HOME/.ssh/rc ¥Õ¥¡¥¤¥ë¤Î¤³¤È)¤ò¤½¤³¤Ë½ñ¤¹þ¤á¤ë¡£
394 ¥Õ¥¡¥¤¥ë¤Î¥¢¥Ã¥×¥í¡¼¥É¤ò³«Êü¤¹¤ë¤¿¤á¤Ë¤Ï¡¢¥æ¡¼¥¶¤¬½ñ¤¹þ¤á¤ë¥Ç¥£¥ì¥¯¥È¥ê¤¬
395 ºîÀ®¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤Î¤½¤ì°Ê³°¤Î¾ì½ê¤Ë¤Ï
396 ½ñ¤¹þ¤á¤Ê¤¤¤³¤È¤ò¥æ¡¼¥¶¤Ë¾µÃΤµ¤»¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
398 .\"O A second problem is that after authenticating the user, sshd also reads
399 .\"O .I $HOME/.ssh/environment
400 .\"O to allow the user to set variables in their environment. This allows the user
401 .\"O to completely circumvent
403 .\"O by clever manipulation of such environment variables as
404 .\"O .IR LD_LIBRARY_PATH " or " LD_PRELOAD
405 .\"O to link the rssh binary against arbitrary shared libraries. In order to
406 .\"O prevent this from being a problem, as of version 0.9.3, by default
408 .\"O is now compiled statically. The restrictive work-around mentioned above will
409 .\"O also defeat this sort of attack.
410 Æó¤ÄÌܤÎÌäÂê¤Ï¡¢¥æ¡¼¥¶¤¬´Ä¶¤ËÊÑ¿ô¤òÀßÄê¤Ç¤¤ë¤³¤È¤ò²Äǽ¤Ë¤¹¤ë
411 .I $HOME/.ssh/environment
412 ¥Õ¥¡¥¤¥ë¤ò¡¢sshd ¤¬¥æ¡¼¥¶¤Îǧ¾Ú¸å¤ËÆɤ߹þ¤à¤³¤È¤Ç¤¢¤ë¡£
417 ¤ò¾å¼ê¤ËÁàºî¤·¤Æ¡¢Ç¤°Õ¤Î¶¦Í¥é¥¤¥Ö¥é¥ê¤ò rssh ¥Ð¥¤¥Ê¥ê¤Ë¥ê¥ó¥¯
420 ¤ò´°Á´¤Ëµ½¤¯¤³¤È¤òµö¤·¤Æ¤·¤Þ¤¦¡£
421 ¤³¤ÎÌäÂê¤òËɤ°¤¿¤á¤Ë¡¢
423 ¤Ï(¥Ð¡¼¥¸¥ç¥ó 0.9.3 ¤Î»þÅÀ¤Ç¤Ï)¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÀÅŪ¤Ë¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤ë¡£
424 Á°½Ò¤ÎÀ©¸ÂÉÕ¤¤Î²óÈòÊýË¡¤Ï¡¢¤³¤Î¼ï¤Î¹¶·â¤âËɤ°¤³¤È¤¬¤Ç¤¤ë¡£
426 .\"O As of OpenSSH 3.5,
428 .\"O now supports the option
429 .\"O .I PermitUserEnvironment
430 .\"O which is set to "no" by default. This option allows restricted shells like
432 .\"O to function properly without requiring them to be linked statically. As of
434 .\"O version 1.0.1, the configure script should detect that OpenSSH 3.5 is present,
435 .\"O and disable the default of static compilation.
436 OpenSSH 3.5 ¤Î»þÅÀ¤Ç¤Ï¡¢
439 .I PermitUserEnvironment
440 ¥ª¥×¥·¥ç¥ó¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤ª¤ê¡¢¤³¤ì¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç "no" ¤ËÀßÄꤵ¤ì¤Æ¤¤¤ë¡£
443 ¤Î¤è¤¦¤ÊÀ©¸Â¤Ä¤¥·¥§¥ë¤¬ÀÅŪ¥ê¥ó¥¯¤ÎɬÍפʤ·¤ËŬÀڤ˵¡Ç½¤¹¤ë¤³¤È¤ò
446 ¥Ð¡¼¥¸¥ç¥ó 1.0.1 ¤Î»þÅÀ¤Ç¡¢configure ¥¹¥¯¥ê¥×¥È¤Ï OpenSSH 3.5 ¤¬
447 ¸ºß¤¹¤ë¤«¤ò¸¡½Ð¤·¡¢ÀÅŪ¥³¥ó¥Ñ¥¤¥ë¤ò̵¸ú¤Ë¤¹¤ë¡£
454 .\"O \fIrssh.conf\fP(5), \fIsshd\fP(8), \fIssh\fP(1), \fIscp\fP(1), \fIsftp\fP(1).