Import translated manuals from JM CVS Repository.

[linuxjm/jm.git] / manual / rssh / draft / man1 / rssh.1

.\" Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
.\" 
.\" The software can be redistributed under the terms of the modified Berkely
.\" software license, as follows:
.\" 
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
.\" EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
.\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
.\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Japanese Version Copyright (C) 2003
.\"     System Design and Research Institute Co., Ltd. All rights reserved.
.\"
.\" Translated on Sun Mar  2 23:08:54 JST 2003
.\" by System Design and Research Institute Co., Ltd. <info@sdri.co.jp>
.\" Updated on Fri Feb 25 23:25:07 EST 2005
.\" by Tatsuo Sekine <tsekine@sdri.co.jp>
.\"
.\"WORD: parser ²òÀÏ´ï
.\"
.TH RSSH 1 "7 Jul 2003" "man pages" "Derek D. Martin"
.\"O .SH NAME
.SH ̾Á°
.\"O rssh \- restricted secure shell allowing only scp and/or sftp 
rssh \- scp ¤È sftp ¤ÎξÊý¤À¤±¡¢¤Þ¤¿¤Ï¤½¤Î°ìÊý¤Î¤ß¤òµö²Ä¤¹¤ë
À©¸ÂÉÕ¥»¥­¥å¥¢¥·¥§¥ë
.\"O .SH SYNOPSIS
.SH ½ñ¼°
.B rssh 
.I -c scp|sftp-server 
.RI [ " options... " ] " " [ " ... " ]
.\"O .br
.\"O .SH DESCRIPTION
.SH ÀâÌÀ
.\"O .B rssh
.\"O is a restricted shell for providing limited access to a host via \fIssh\fP(1), 
.\"O allowing a user whose shell is configured to
.\"O .B rssh
.\"O to use one or more of the command(s) \fIscp\fP(1) or \fIsftp\fP(1)
.\"O \fIcvs\fP(1), \fIrdist\fP(1), and \fIrsync\fP(1), and 
.\"O .B only
.\"O those commands.  It is intended primarily to work with OpenSSH (see
.\"O http://www.openssh.com), but may work with other implementations.
.\"O .P
.B rssh
¤Ï¥Û¥¹¥È¤Ø¤Î
.IR ssh (1)
¤ò»È¤Ã¤¿¥¢¥¯¥»¥¹¤ÎÀ©¸Â¤òÄ󶡤¹¤ëÀ©¸ÂÉÕ¤­¥·¥§¥ë¤Ç¡¢¥·¥§¥ë¤¬
.B rssh
¤ËÀßÄꤵ¤ì¤¿¥æ¡¼¥¶¤Ë¤Ï¡¢
.IR scp (1) ,
.IR sftp (1) ,
.IR cvs (1) ,
.IR rdist (1) ,
.IR rsync (1)
¤Î¤¦¤Á¤Î°ì¤Ä°Ê¾å¤Î¥³¥Þ¥ó¥É
.B ¤Î¤ß
»ÈÍѤòµö²Ä¤¹¤ë¡£
¼ç¤Ë¡¢OpenSSH (http://www.openssh.com ¤ò»²¾È)
¤È¶¦¤ËÆ°ºî¤¹¤ë¤è¤¦¤Ë°Õ¿Þ¤µ¤ì¤Æ¤Ï¤¤¤ë¤¬¡¢
¾¤Î¼ÂÁõ¤È¤â¶¦¤ËÆ°ºî¤¹¤ë¤À¤í¤¦¡£
.P
.\"O The system administrator should install the shell on the restricted system.
.\"O Then the password file entry of any user for whom it is desireable to provide
.\"O restricted access should be edited, such that their shell is \fBrssh\fP. For
.\"O example:
µ¡Ì©¤ò¤â¤Ä¥·¥¹¥Æ¥à¤Î´ÉÍý¼Ô¤Ï¡¢¤³¤Î¥·¥§¥ë¤ò¥¤¥ó¥¹¥È¡¼¥ë¤¹¤Ù¤­¤Ç¤¢¤ë¡£
¥¢¥¯¥»¥¹¤¬À©¸Â¤µ¤ì¤ë¤Ù¤­¤¹¤Ù¤Æ¤Î¥æ¡¼¥¶¤ËÂФ·¡¢
¤½¤Î¥Ñ¥¹¥ï¡¼¥É¥¨¥ó¥È¥ê¤òÊÔ½¸¤·¡¢¥·¥§¥ë¤¬
.B rssh
¤Ë¤Ê¤ë¤è¤¦¤Ë¤¹¤ë¡£
Î㤨¤Ð°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
.P
.RS
luser:x:666:666::/home/luser:/usr/bin/rssh
.RE
.P
.\"O If invoked with the 
.\"O .I -v 
.\"O option,
.\"O .B rssh
.\"O will report its version, and exit.  All other arguments to 
.\"O .B rssh
.\"O are those specified by the remote \fIssh\fP(1) client, and aren't of much
.\"O concern to the average user.  The arguments provided must be what a shell on
.\"O the remote end would receive in order to pass control to \fIscp\fP(1) or
.\"O \fIsftp\fP(1).  If 
.\"O .B rssh
.\"O receives arguments which do not conform, it will emit an error message and exit.
¤â¤·
.I \-v
¥ª¥×¥·¥ç¥óÉÕ¤­¤Çµ¯Æ°¤µ¤ì¤¿¤é¡¢
.B rssh
¤Ï¥Ð¡¼¥¸¥ç¥óÈÖ¹æ¤òɽ¼¨¤·¤Æ½ªÎ»¤¹¤ë¡£
.B rssh
¤Ø¤Î¤½¤Î¾¤Î°ú¿ô¤Ï¥ê¥â¡¼¥È¤Î
.IR ssh (1)
¥¯¥é¥¤¥¢¥ó¥È¤Ë¤è¤Ã¤Æ»ØÄꤵ¤ì¤¿¤â¤Î¤¬ÅϤµ¤ì¤ë¡£
°ìÈ̤Υ桼¥¶¤Ï¤³¤Î¤³¤È¤ò¤Û¤È¤ó¤É°Õ¼±¤¹¤ëɬÍפϤʤ¤¡£
À©¸æ¤ò
.IR scp (1)
¤Þ¤¿¤Ï
.IR sftp (1)
¤ËÅϤ¹¤¿¤á¤Ë¡¢
rssh ¤ËÅϤµ¤ì¤ë°ú¿ô¤Ï¡¢¥ê¥â¡¼¥È¦¤Î¥·¥§¥ë¤¬¼õ¤±¼è¤Ã¤¿¤â¤Î¤ò(¤½¤Î¤Þ¤Þ)
»È¤ï¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
¤â¤·
.B rssh
¤¬Å¬¹ç¤·¤Ê¤¤°ú¿ô¤ò¼õ¤±¼è¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½Ð¤·¤Æ½ªÎ»¤¹¤ë¡£
.\"O If the program the user is trying to run is not allowed, or contains syntax
.\"O which will try to execute a shell command (such as a command substitution), it
.\"O will also emit an error and exit.
¥æ¡¼¥¶¤¬¼Â¹Ô¤·¤è¤¦¤È¤·¤¿¥×¥í¥°¥é¥à¤¬µö²Ä¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï
¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½ÐÎϤ·¤Æ½ªÎ»¤¹¤ë¡£
¤Þ¤¿¡¢(¥³¥Þ¥ó¥ÉÃÖ´¹¤Î¤è¤¦¤Ê)¥·¥§¥ë¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤è¤¦¤È¤·¤¿¾ì¹ç¤â
¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò½ÐÎϤ·¤Æ½ªÎ»¤¹¤ë¡£
.P
.\"O .B rssh
.\"O has a configuration file, rssh.conf(5), which allows some of the behavior of
.\"O .B rssh
.\"O to be customized.  See that man page for details.
.B rssh
¤Ë¤ÏÀßÄê¥Õ¥¡¥¤¥ë rssh.conf(5) ¤¬¤¢¤ê¡¢
.B rssh
¤ÎÆ°¤­¤Î¤¤¤¯¤Ä¤«¤òÀßÄê²Äǽ¤Ç¤¢¤ë¡£
¾ÜºÙ¤Ï man ¥Ú¡¼¥¸¤ò»²¾È¤Î¤³¤È¡£
.\"O 
.\"O .SH SECURITY NOTES
.SH ¥»¥­¥å¥ê¥Æ¥£¾å¤ÎÃí°Õ
.\"O 
.\"O .SS Command Line Parser
.SS ¥³¥Þ¥ó¥É¥é¥¤¥ó²òÀÏ´ï
.\"O 
.\"O As of 
.\"O .B rssh
.\"O version 2.2.3, the program must parse out the complete command line to avoid
.\"O command line options which cause the execution of arbitrary programs (and
.\"O hence bypass the security of \fBrssh\fP).  In order to keep the program source
.\"O code sane, the parser is a little over-zealous about matching command line
.\"O options.  In practice, this probably will not be an issue, but in theory it is
.\"O possible.  
.B rssh
¥Ð¡¼¥¸¥ç¥ó 2.2.3 ¤Î»þÅÀ¤Ç¤Ï¡¢Ç¤°Õ¤Î¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤ò°ú¤­µ¯¤³¤¹
(¤½¤Î·ë²Ì¡¢\fBrssh\fP ¤Î¥»¥­¥å¥ê¥Æ¥£¤ò¤«¤¤¤¯¤°¤ë)
¤è¤¦¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¥³¥Þ¥ó¥É¥é¥¤¥óÁ´ÂΤò
²òÀϤ·¤Ê¤¯¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
¥½¡¼¥¹¥³¡¼¥É¤ò·òÁ´¤Ë¤·¤Æ¤ª¤¯¤¿¤á¡¢¤ä¤äÇ®¿´¤¹¤®¤ë¤°¤é¤¤¤Ë¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò¥Þ¥Ã¥Á¥ó¥°¤¹¤ë¡£
¼ÂºÝ¤Ë¤Ï¤³¤ì¤ÏÌäÂê¤Ë¤Ï¤Ê¤é¤Ê¤¤¤¬¡¢ÍýÏÀ¾å¤Ï²Äǽ¤À¤«¤é¤Ç¤¢¤ë¡£
.P 
.\"O If you run into a problem where
.\"O .B rssh
.\"O refuses to run, claiming to be rejecting insecure command line options which
.\"O were not specified, try changing your command line such that all \fIshort\fP
.\"O options are specified as single-letter option flags (e.g. -e -p instead of
.\"O -ep) and make sure you separate arguments from their respective options by a
.\"O space (e.g. -p 123 instead of -p123).  In virtually all cases, this should
.\"O solve the problem.  Admittedly, an exhaustive search was not performed, but no
.\"O problematical cases were found which were likely to be common.
ËÜÅö¤Ï¤½¤¦¤Ç¤Ï¤Ê¤¤¤Ë¤â¤«¤«¤ï¤é¤º¡¢
¡Ö°ÂÁ´¤Ç¤Ê¤¤¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤òµñÈݤ·¤¿¡×¤È¤¤¤¦Íýͳ¤Ç
.B rssh
¤Î¼Â¹Ô¤òµñÈݤµ¤ì¤ë¤È¤¤¤¦ÌäÂê¤ËÆͤ­Åö¤¿¤Ã¤¿¤é¡¢¥³¥Þ¥ó¥É¥é¥¤¥ó¤ò¼¡¤Î¤è¤¦¤Ë
ÊѤ¨¤Æ¤ß¤ÆÍߤ·¤¤¡£
¤¹¤Ù¤Æ¤Î\fIû¤¤\fR¥ª¥×¥·¥ç¥ó¤ò1ʸ»ú¤Î¥ª¥×¥·¥ç¥ó¥Õ¥é¥°¤Ç»ØÄꤹ¤ë
(Î㤨¤Ð¡¢\-ep ¤ÎÂå¤ï¤ê¤Ë \-e \-p)¡¢
°ú¿ô¤È¤½¤ì¤¾¤ì¤Î¥ª¥×¥·¥ç¥ó¤ò¥¹¥Ú¡¼¥¹¤Ç¶èÀÚ¤ë
(Î㤨¤Ð¡¢\-p123 ¤ÎÂå¤ï¤ê¤Ë \-p 123)¡£
¤Û¤È¤ó¤ÉÁ´¤Æ¤Î¾ì¹ç¤Ç¡¢¤³¤ì¤ÇÌäÂê¤Ï²ò·è¤¹¤ë¡£
¤ªÊ¬¤«¤ê¤Î¤È¤ª¤ê´°Á´¤Ê¸¡º÷¤Ï¤·¤Æ¤¤¤Ê¤¤¤¬¡¢
°ìÈÌŪ¤ËÍ­¤êÆÀ¤ë¤è¤¦¤ÊÌäÂê¤Ï¸«¤Ä¤«¤Ã¤Æ¤¤¤Ê¤¤¡£
.P
.\"O The alternative would have been to include a complete command-line parser for
.\"O rcp, rdist, and rsync; this was way out of the scope of this project.  In
.\"O practice, the existing parser should suffice.  If, however, you find cases
.\"O where it does not, please post details to the rssh mailing list.  Details
.\"O about how to post to the mailing list can be found at the rssh homepage.
Ê̤βò·èºö¤Ï¡¢rcp, rdist, rsync ¤ËÂФ¹¤ë´°Á´¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó²òÀÏ´ï¤ò
¼ÂÁõ¤·¤Æ¤ª¤¯¤³¤È¤¬¤À¤¬¡¢¤½¤ì¤Ï¤³¤Î¥×¥í¥¸¥§¥¯¥È¤ÎÌÜŪ¤Ç¤Ê¤¤¡£
¼ÂÍѾå¤Ï¡¢´û¤Ë¤¢¤ë²òÀÏ´ï¤Ç½½Ê¬¤Ç¤¢¤ë¡×
¤·¤«¤·¡¢¤â¤·¤½¤¦¤Ç¤Ê¤¤¾ì¹ç¤ò¸«¤Ä¤±¤¿¤Î¤Ê¤é¡¢¾ÜºÙ¤ò
rssh ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤ËÅê¹Æ¤·¤ÆÍߤ·¤¤¡£
rssh ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤Ø¤ÎÅê¹Æ¤Ë´Ø¤¹¤ë¾ÜºÙ¤Ï
rssh ¥Û¡¼¥à¥Ú¡¼¥¸¤«¤éÆÀ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
.\"O .SS Safeguards Against Bypassing rssh
.SS rssh ¤ò¤«¤¤¤¯¤°¤ë¤³¤È¤ËÂФ¹¤ë°ÂÁ´ºö
.\"O 
.\"O .B rssh
.\"O is designed to interact with several other programs.  Even if rssh is
.\"O completely bug-free, changes in those other programs could possibly result in methods
.\"O to circumvent the protection that
.\"O .B rssh
.\"O is intended to provide.  \fBIt is important for you, the system administrator,
.\"O to stay current on the services you make available with rssh, to be sure that
.\"O these commands do\fP \fInot\fP \fBprovide mechanisms to allow the user to run
.\"O arbitrary commands.\fP Also, while the goal of every release is to be bug
.\"O free, no one is perfect...  There may be undiscovered bugs in 
.\"O .B rssh 
.\"O which might allow a user to circumvent it.
.B rssh
¤Ï¾¤Î¤¤¤¯¤Ä¤«¤Î¥×¥í¥°¥é¥à¤ÈÁê¸ß¤ËºîÍѤ¹¤ë¤è¤¦¤ËÀ߷פµ¤ì¤Æ¤¤¤ë¡£
¤¿¤È¤¨ rssh ¤Ë´°Á´¤Ë¥Ð¥°¤¬¤Ê¤¯¤Æ¤â¡¢Â¾¤Î¥×¥í¥°¥é¥à¤ÎÊѹ¹¤¬
.B rssh
¤¬Ä󶡤·¤Æ¤¤¤ëÊݸǽ¤ò̵»ë¤¹¤ë·ë²Ì¤È¤Ê¤êÆÀ¤ë¡£
\fB¥·¥¹¥Æ¥à´ÉÍý¼Ô¡¢¤¹¤Ê¤ï¤Á¤¢¤Ê¤¿¤Ë¤È¤Ã¤Æ½ÅÍפʤ³¤È¤Ï¡¢
rssh ¤È¶¦¤Ë»È¤¦¤è¤¦¤Ë¤·¤¿¥µ¡¼¥Ó¥¹¤ò¸½ºß¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤­¡¢
¤½¤ì¤é¤Î¥³¥Þ¥ó¥É¤¬¥æ¡¼¥¶¡¼¤ËǤ°Õ¤Î¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤òµö²Ä¤¹¤ë¤è¤¦¤Ê
»ÅÁȤߤòÄ󶡤·¤Æ\fI¤¤¤Ê¤¤\fB¤³¤È¤ò³Î¤«¤Ë¤·¤Æ¤ª¤¯¤³¤È¤Ç¤Ç¤¢¤ë¡£\fP
¤Þ¤¿¡¢¤¹¤Ù¤Æ¤Î¥ê¥ê¡¼¥¹¤ÎÌÜɸ¤Ï¥Ð¥°¤¬¤Ê¤¤¤³¤È¤Ç¤¢¤ë°ìÊý¡¢
´°àú¤Ê¤â¤Î¤Ê¤É̵¤¤¡Ä¡Ä
.B rssh
¤Ë¤Ïȯ¸«¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ð¥°¤¬¤¢¤ë¤«¤â¤·¤ì¤º¡¢¤½¤ì¤Ï¥æ¡¼¥¶¡¼¤¬
rssh ¤ò̵»ë¤¹¤ë¤³¤È¤òµö¤·¤Æ¤·¤Þ¤¦¤«¤â¤·¤ì¤Ê¤¤¡£
.P
.\"O You can protect your system from those who would take advantage of such
.\"O weaknesses.  There are three basic steps:
¤½¤Î¤è¤¦¤ÊÀȼåÀ­¤«¤é¡¢¥·¥¹¥Æ¥à¤ò¼é¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
3¤Ä¤Î´ðËÜŪ¤ÊÊýË¡¤¬¤¢¤ë¡£
.\"O 
.\"O .nf
.\"O    1. place your users in a chroot jail
.\"O    2. mount their home filesystem with the noexec option
.\"O    3. use standard file permissions appropriately
.\"O .fi

.PD 0
.RS .3i
.TP .3i
1.
¥æ¡¼¥¶¡¼¤ò chroot jail ¤Ë²¡¤·¹þ¤á¤ë
.TP .3i
2.
¥æ¡¼¥¶¡¼¤Î¥Û¡¼¥à¤Î¤¢¤ë¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤ò
noexec ¥ª¥×¥·¥ç¥óÉÕ¤­¤Ç¥Þ¥¦¥ó¥È¤¹¤ë
.TP .3i
3.
°ìÈÌŪ¤Ê¥Õ¥¡¥¤¥ë¥Ñ¡¼¥ß¥Ã¥·¥ç¥ó¤òŬÀÚ¤ËÍѤ¤¤ë
.RE
.PD

.\"O .B rssh
.\"O gives the system administrator the ability to place the users in a chroot
.\"O jail.  See details in the man page for
.\"O .B rssh.conf
.\"O and in the file
.\"O .I CHROOT
.\"O which is distributed with the source code.  If you want to ensure users can
.\"O not run arbitrary programs, use a chroot jail, and be sure not to put any
.\"O programs other than what are absolutely necessary to provide the service you
.\"O are trying to provide.  This prevents them from running standard system
.\"O commands.
.B rssh
¤Ï¡¢¥æ¡¼¥¶¡¼¤ò chroot jail ¤ËÆþ¤ì¤ëǽÎϤò¥·¥¹¥Æ¥à´ÉÍý¼Ô¤ËÍ¿¤¨¤ë¡£
¾ÜºÙ¤Ï
.BR rssh.conf (5)
¤Î man ¥Ú¡¼¥¸¤È¡¢¥½¡¼¥¹¥³¡¼¥É¤È¶¦¤ËÇÛÉÛ¤µ¤ì¤Æ¤¤¤ë
.I CHROOT
¥Õ¥¡¥¤¥ë¤ò»²¾È¤Î¤³¤È¡£
¥æ¡¼¥¶¡¼¤¬Ç¤°Õ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤­¤Ê¤¤¤³¤È¤ò³Î¤«¤Ê¤â¤Î¤Ë¤·¤¿¤¤¤Ê¤é¡¢
chroot jail ¤ò»ÈÍѤ·¡¢Ä󶡤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥µ¡¼¥Ó¥¹¤ËɬÍ×¤Ê¥×¥í¥°¥é¥à°Ê³°¤ò
¤½¤³¤ËÃÖ¤«¤Ê¤¤¤è¤¦¤Ëµ¤¤ò¤Ä¤±¤ë¤³¤È¡£
¤½¤¦¤¹¤ì¤Ð¡¢É¸½àŪ¤Ê¥³¥Þ¥ó¥É¤Î¼Â¹Ô¤òËɤ°¤³¤È¤¬¤Ç¤­¤ë¡£
.P
.\"O Then, make sure the user's files are on a seperate filesystem from your
.\"O system's executables.  Make sure you mount this filesystem using the
.\"O .I noexec
.\"O option, if your operating system provides one.  This prevents the users from
.\"O being able to execute programs which they have uploaded to the target machine
.\"O (e.g. using scp) which might otherwise be executable.
¤½¤·¤Æ¡¢¥·¥¹¥Æ¥à¤Î¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬¤¢¤ë¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤È¡¢
¥æ¡¼¥¶¡¼¤Î¥Õ¥¡¥¤¥ë¤òʬ¤±¤Æ¤ª¤­¡¢
(¤â¤·¥ª¥Ú¥ì¡¼¥Æ¥£¥ó¥°¥·¥¹¥Æ¥à¤Ë¤½¤Îµ¡Ç½¤¬¤¢¤ì¤Ð)
¥æ¡¼¥¶¡¼¤Î¥Õ¥¡¥¤¥ë¤Î¤¢¤ë
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤ò
.I noexec
¥ª¥×¥·¥ç¥óÉÕ¤­¤Ç¥Þ¥¦¥ó¥È¤¹¤ë¡£
¤³¤¦¤¹¤ì¤Ð¡¢ÌÜŪ¤Î¥Þ¥·¥ó¤Ë(Î㤨¤Ð scp ¤ò»È¤Ã¤Æ)¥¢¥Ã¥×¥í¡¼¥É¤µ¤ì¤¿
¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¤Î¤òËɤ°¤³¤È¤¬¤Ç¤­¤ë¡£
.\"tsekine ¡Öwhich might otherwise be executable¡×¤ÏÌõ¤·¤Þ¤»¤ó¤Ç¤·¤¿
.P
.\"O Lastly, use standard Unix/POSIX file permissions to ensure they
.\"O can not access files they should not be able to within the chroot jail.
ºÇ¸å¤Ë¡¢chroot jail ¤ÎÃæ¤Ç¥æ¡¼¥¶¡¼¤¬¥¢¥¯¥»¥¹¤Ç¤­¤Æ¤Ï¤Ê¤é¤Ê¤¤¤â¤Î¤Ë
¤Ä¤¤¤Æ¤Ï¡¢É¸½àŪ¤Ê Unix/POSIX ¥Õ¥¡¥¤¥ë¥Ñ¡¼¥ß¥Ã¥·¥ç¥ó¤ò»ÈÍѤ¹¤ë¤³¤È¡£
.\"O .SS "OpenSSH Versions and Bypassing rssh"
.SS OpenSSH ¤Î¥Ð¡¼¥¸¥ç¥ó¤È rssh ¤Î̵»ë
.\"O Prior to OpenSSH 3.5, \fIsshd\fP(8) will generally attempt to parse files in
.\"O the user's home directory, and may also try to run a start-up script from the
.\"O user's
.\"O .I $HOME/.ssh
.\"O directory.  
OpenSSH 3.5 ¤è¤êÁ°¤Ç¤Ï¡¢°ìÈÌŪ¤Ë¤Ï
.IR sshd (8)
¤Ï¥æ¡¼¥¶¤Î¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ë¥Õ¥¡¥¤¥ë¤ò²òÀϤ·¤è¤¦¤È¤·¡¢
¤Þ¤¿¥æ¡¼¥¶¤Î
.I $HOME/.ssh
¥Ç¥£¥ì¥¯¥È¥ê¤«¤é¥¹¥¿¡¼¥È¥¢¥Ã¥×¥¹¥¯¥ê¥×¥È¤ò¼Â¹Ô¤·¤è¤¦¤È¤¹¤ë¡£
.\"O .B rssh 
.\"O does not make use of the user's environment in any way.  The relevant command
.\"O is executed by calling \fIexecv\fP(3) with the full path to the command, as
.\"O specified at compile time.  It does not depend upon the user's PATH variable,
.\"O or on any other environment variable.
.B rssh
¤Ï·è¤·¤Æ¥æ¡¼¥¶¡¼¤Î´Ä¶­(ÊÑ¿ô)¤ò»ÈÍѤ·¤è¤¦¤È¤Ï¤·¤Ê¤¤¡£
´ØÏ¢¤¹¤ë¥³¥Þ¥ó¥É(ÌõÃí: sftp-server¤Ê¤É)¤Ï¡¢
¥³¥ó¥Ñ¥¤¥ë»þ¤Ë»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É¤Ø¤Î¥Õ¥ë¥Ñ¥¹¤ò»ØÄꤷ¤Æ
execv(3) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤Ç¼Â¹Ô¤µ¤ì¤ë¡£
¤³¤ì¤Ï¥æ¡¼¥¶¤Î PATH ÊÑ¿ô¤Ë¤Ï°Í¸¤·¤Ê¤¤¤·¡¢Â¾¤Î´Ä¶­ÊÑ¿ô¤Ë¤â°Í¸¤·¤Ê¤¤¡£
.P
.\"O There are, however, several problems that can arise.  This is due entirely to
.\"O the way the OpenSSH Project's sshd works, and is in no way the fault of
.\"O \fBrssh\fP.  For example, one problem which might exist is that, according to
.\"O the \fIsshd\fP(8) man page from at least some releases of OpenSSH, the
.\"O commands listed in the
.\"O .I $HOME/.ssh/rc
.\"O file are executed with
.\"O .I /bin/sh
.\"O instead of the user's defined shell.  This appears not to be the case on the
.\"O systems the author had available to test on; commands were executed using the
.\"O user's configured shell (\fBrssh\fP), which did not allow the execution.
¤·¤«¤·¤Ê¤¬¤é¡¢µ¯¤³¤ê¤¦¤ë¤¤¤¯¤Ä¤«¤ÎÌäÂ꤬¸ºß¤¹¤ë¡£
¤³¤ì¤Ï´°Á´¤Ë OpenSSH ¥×¥í¥¸¥§¥¯¥È¤Î sshd ¤ÎÆ°ºî¤Î»ÅÊý¤Ë¸¶°ø¤¬¤¢¤ê¡¢
·è¤·¤Æ
.B rssh
¤Î·ç´Ù¤Ç¤Ï¤Ê¤¤¡£¤¿¤È¤¨¤Ð¡¢Â¸ºß¤¹¤ë¤Ç¤¢¤í¤¦°ì¤Ä¤ÎÌäÂê¤È¤·¤Æ¤Ï¡¢
OpenSSH ¤Î¾¯¤Ê¤¯¤È¤â¤¤¤¯¤Ä¤«¤Î¥ê¥ê¡¼¥¹¤Î
.IR sshd (8)
¤Î man ¥Ú¡¼¥¸¤Ë¤è¤ì¤Ð¡¢
.I $HOME/.ssh/rc
¥Õ¥¡¥¤¥ë¤Ë½ñ¤«¤ì¤Æ¤¤¤ë¥³¥Þ¥ó¥É¤Ï¥æ¡¼¥¶¤Î¥Ç¥Õ¥©¥ë¥È¥·¥§¥ë¤ÎÂå¤ï¤ê¤Ë
.I /bin/sh
¤Ë¤è¤Ã¤Æ¼Â¹Ô¤µ¤ì¤ë¡£
Ãø¼Ô¤¬¥Æ¥¹¥È¤Ë»È¤¨¤ë¥·¥¹¥Æ¥à¤Ç¤Ï¤³¤ÎÌäÂê¤ÏȯÀ¸¤·¤Ê¤¤¡£
¤¹¤Ê¤ï¤Á¡¢¥³¥Þ¥ó¥É¤Ï¥æ¡¼¥¶¤ËÀßÄꤵ¤ì¤¿¥·¥§¥ë
.RB ( rssh )
¤Ë¤è¤Ã¤Æ¼Â¹Ô¤µ¤ì¡¢¤½¤ì¤Ï¼Â¹Ô¤òµö²Ä¤·¤Ê¤¤¡£
.\"O However if it is true on your system, then a malicious user may be able to
.\"O circumvent
.\"O .B rssh
.\"O by uploading a file to
.\"O .I $HOME/.ssh/rc
.\"O which will be executed by 
.\"O .I /bin/sh
.\"O on that system.  If any releases (of OpenSSH) are, in fact, vulnerable to this
.\"O problem, then it is very likely that they are only old, outdated versions.  So
.\"O long as you are running a recent version of OpenSSH, this should not be a
.\"O problem as far as I can tell.
¤·¤«¤·¡¢¤â¤·¤³¤ì¤¬¤¢¤Ê¤¿¤Î¥·¥¹¥Æ¥à¤ÇÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤Ã¤Æ¤¤¤ì¤Ð¡¢
°­°Õ¤Î¤¢¤ë¥æ¡¼¥¶¤Ï
.I /bin/sh
¤Ë¼Â¹Ô¤µ¤ì¤ë¤Ç¤¢¤í¤¦
.I $HOME/.ssh/rc
¥Õ¥¡¥¤¥ë¤ò¥¢¥Ã¥×¥í¡¼¥É¤·¤Æ¡¢
.B rssh
¤ò̵»ë¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¤À¤í¤¦¡£

¼ÂºÝ¤Î¤È¤³¤í¡¢¤â¤·¤³¤ÎÀȼåÀ­ÌäÂ꤬¸ºß¤¹¤ë(OpenSSH ¤Î)¥ê¥ê¡¼¥¹¤¬
¤¢¤ë¤È¤¹¤ì¤Ð¡¢¤½¤ì¤Ï¸Å¤¯¡¢µì¼°¤Î¥Ð¡¼¥¸¥ç¥ó¤Ç¤¢¤ë¡£
ºÇ¶á¤Î¥Ð¡¼¥¸¥ç¥ó¤ÎOpenSSH¤òÆ°¤«¤·¤Æ¤¤¤ë¸Â¤ê¤Ï¡¢
»ä¤¬¸À¤¨¤ëÈϰϤǤÏÌäÂê¤Ê¤¤¤Ï¤º¤À¡£
.P
.\"O If your sshd 
.\"O .I is
.\"O vulnerable to this attack, there is a workaround for this problem, though it
.\"O is pretty restrictive.
¤â¤·»È¤Ã¤Æ¤¤¤ë sshd ¤¬¤³¤Î¹¶·â¤ËÂФ·¤ÆÀȼå¤Ç
.I ¤¢¤ë
¤Ê¤é¤Ð¡¢¤«¤Ê¤êÀ©¸Â¤¬¤«¤«¤ë¤â¤Î¤Î¡¢¤³¤ÎÌäÂê¤ËÂФ¹¤ë²óÈòÊýË¡¤¬¤¢¤ë¡£
.\"O .B  "The user's home directory absolutely must *not* be writable by the user."
.B "¥æ¡¼¥¶¤Î¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤ÏÀäÂФˤ½¤Î¥æ¡¼¥¶¤¬½ñ¤­¹þ¤á¤Æ¤Ï*¤¤¤±¤Ê¤¤*¡£"
.\"O If it is, the user can use sftp to remove the directory or rename it, and then
.\"O create a new one, and fill it up with whatever environment files they like.  For
.\"O providing file uploads, this means a user-writable directory must be created for
.\"O them, and they must be made aware of their inability to write into their home
.\"O directory other than in this location.
¤â¤·½ñ¤­¹þ¤á¤Æ¤·¤Þ¤¨¤Ð¡¢¥æ¡¼¥¶¤Ï sftp ¤ò»È¤Ã¤Æ(.ssh)¥Ç¥£¥ì¥¯¥È¥ê¤Î
̾Á°¤òÊѤ¨¤ë¤«¾Ã¤¹¤«¤·¤Æ¡¢¤¢¤¿¤é¤·¤¤Æ±Ì¾¤Î¥Ç¥£¥ì¥¯¥È¥ê¤òºî¤ê¡¢¹¥¤­¤Ê
´Ä¶­¥Õ¥¡¥¤¥ë(ÌõÃí: ¾åµ­ $HOME/.ssh/rc ¥Õ¥¡¥¤¥ë¤Î¤³¤È)¤ò¤½¤³¤Ë½ñ¤­¹þ¤á¤ë¡£
¥Õ¥¡¥¤¥ë¤Î¥¢¥Ã¥×¥í¡¼¥É¤ò³«Êü¤¹¤ë¤¿¤á¤Ë¤Ï¡¢¥æ¡¼¥¶¤¬½ñ¤­¹þ¤á¤ë¥Ç¥£¥ì¥¯¥È¥ê¤¬
ºîÀ®¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤Î¤½¤ì°Ê³°¤Î¾ì½ê¤Ë¤Ï
½ñ¤­¹þ¤á¤Ê¤¤¤³¤È¤ò¥æ¡¼¥¶¤Ë¾µÃΤµ¤»¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
.P
.\"O A second problem is that after authenticating the user, sshd also reads
.\"O .I $HOME/.ssh/environment
.\"O to allow the user to set variables in their environment.  This allows the user
.\"O to completely circumvent 
.\"O .B rssh 
.\"O by clever manipulation of such environment variables as
.\"O .IR LD_LIBRARY_PATH " or " LD_PRELOAD
.\"O to link the rssh binary against arbitrary shared libraries.  In order to
.\"O prevent this from being a problem, as of version 0.9.3, by default
.\"O .B rssh
.\"O is now compiled statically.  The restrictive work-around mentioned above will
.\"O also defeat this sort of attack.
Æó¤ÄÌܤÎÌäÂê¤Ï¡¢¥æ¡¼¥¶¤¬´Ä¶­¤ËÊÑ¿ô¤òÀßÄê¤Ç¤­¤ë¤³¤È¤ò²Äǽ¤Ë¤¹¤ë
.I $HOME/.ssh/environment
¥Õ¥¡¥¤¥ë¤ò¡¢sshd ¤¬¥æ¡¼¥¶¤Îǧ¾Ú¸å¤ËÆɤ߹þ¤à¤³¤È¤Ç¤¢¤ë¡£
´Ä¶­ÊÑ¿ô
.I LD_LIBRARY_PATH
¤Þ¤¿¤Ï
.I LD_PRELOAD
¤ò¾å¼ê¤ËÁàºî¤·¤Æ¡¢Ç¤°Õ¤Î¶¦Í­¥é¥¤¥Ö¥é¥ê¤ò rssh ¥Ð¥¤¥Ê¥ê¤Ë¥ê¥ó¥¯
¤µ¤»¤ë¤³¤È¤Ë¤è¤Ã¤Æ
.B rssh
¤ò´°Á´¤Ëµ½¤¯¤³¤È¤òµö¤·¤Æ¤·¤Þ¤¦¡£
¤³¤ÎÌäÂê¤òËɤ°¤¿¤á¤Ë¡¢
.B rssh
¤Ï(¥Ð¡¼¥¸¥ç¥ó 0.9.3 ¤Î»þÅÀ¤Ç¤Ï)¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÀÅŪ¤Ë¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤ë¡£
Á°½Ò¤ÎÀ©¸ÂÉÕ¤­¤Î²óÈòÊýË¡¤Ï¡¢¤³¤Î¼ï¤Î¹¶·â¤âËɤ°¤³¤È¤¬¤Ç¤­¤ë¡£
.\"O .P
.\"O As of OpenSSH 3.5, 
.\"O .I sshd
.\"O now supports the option
.\"O .I PermitUserEnvironment
.\"O which is set to "no" by default.  This option allows restricted shells like
.\"O .B rssh
.\"O to function properly without requiring them to be linked statically.  As of
.\"O .B rssh
.\"O version 1.0.1, the configure script should detect that OpenSSH 3.5 is present,
.\"O and disable the default of static compilation.
OpenSSH 3.5 ¤Î»þÅÀ¤Ç¤Ï¡¢
.I sshd
¤Ï
.I PermitUserEnvironment
¥ª¥×¥·¥ç¥ó¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤ª¤ê¡¢¤³¤ì¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç "no" ¤ËÀßÄꤵ¤ì¤Æ¤¤¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
.B rssh
¤Î¤è¤¦¤ÊÀ©¸Â¤Ä¤­¥·¥§¥ë¤¬ÀÅŪ¥ê¥ó¥¯¤ÎɬÍפʤ·¤ËŬÀڤ˵¡Ç½¤¹¤ë¤³¤È¤ò
²Äǽ¤Ë¤¹¤ë¡£
.B rssh
¥Ð¡¼¥¸¥ç¥ó 1.0.1 ¤Î»þÅÀ¤Ç¡¢configure ¥¹¥¯¥ê¥×¥È¤Ï OpenSSH 3.5 ¤¬
¸ºß¤¹¤ë¤«¤ò¸¡½Ð¤·¡¢ÀÅŪ¥³¥ó¥Ñ¥¤¥ë¤ò̵¸ú¤Ë¤¹¤ë¡£
.\"O .SH BUGS
.SH ¥Ð¥°
.\"O None.  =8^)
¤Ê¤¤ =8^)
.\"O .SH SEE ALSO
.SH ´ØÏ¢¹àÌÜ
.\"O \fIrssh.conf\fP(5), \fIsshd\fP(8), \fIssh\fP(1), \fIscp\fP(1), \fIsftp\fP(1).
.IR rssh.conf (5),
.IR sshd (8),
.IR ssh (1),
.IR scp (1),
.IR sftp (1)
.\"O 
.\"O