54754 2004-06-22 09:13 0000 app-shells/rssh: minor security flaw: information gathering outside chroot 2004-06-23 05:18:22 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All Linux RESOLVED FIXED http://www.pizzashack.org/rssh/ B4 [ebuild] jaervosz P2 normal --- 1 vorlon@gentoo.org security@gentoo.org chriswhite@gentoo.org max@gentoo.org vapier@gentoo.org vorlon@gentoo.org 2004-06-22 09:13:33 0000 Posted on Bugtraq and rssh mailing list: http://sourceforge.net/mailarchive/forum.php?thread_id=4963858&forum_id=33294 rssh is a small shell whose purpose is to restrict users to using scp or sftp, and also provides the facilities to place users in a chroot jail. It can also be used to lock users out of a system completely. William F. McCaw identified a minor security flaw in rssh when used with chroot jails. There is a bug in rssh 2.0 - 2.1.x which allows a user to gather information outside of a chrooted jail unintentionally. The latest release of rssh fixes this problem, and also improves support for some non-openssh sftp clients. Additionally, it extends rssh by allowing cvs, rsync, and rdist. The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior to entering the chroot jail. This bug DOES NOT allow a user to access any of the files outside the jail, but can allow them to discover what files are in a directory which is outside the jail, if their credentials on the server would normally allow them read/execute access in the specified directory. For example (from William's bug report), if a user has an account on a server machine which restricts them into a jail using rssh, the user can use the following command to access the server and see what files exist in the /etc directory: scp target:/etc/* . The results of this command will look something like this: scp: /etc/DIR_COLORS: No such file or directory scp: /etc/HOSTNAME: No such file or directory scp: /etc/X11: No such file or directory scp: /etc/adjtime: No such file or directory [ ... ] ld.so.cache 100% 675 0.0KB/s 00:00 ld.so.conf 100% 0 0.0KB/s 00:00 [ ... ] passwd 100% 51 0.0KB/s 00:00 [ ... ] scp: /etc/termcap-Linux: No such file or directory scp: /etc/updatedb.conf: No such file or directory scp: /etc/warnquota.conf-sample: No such file or directory scp: /etc/xml: No such file or directory The files which succeed in copying exist inside the chroot jail, and thus should be harmless. All of the files which produce an error message exist in the system's /etc directory, but do not exist inside the chroot jail. The user is placed in the jail before access to any of these files is attempted, so again, it is not possible to access them. For many sites, this is not a serious issue. However if it is important at your site that users not be able to know about any files which exist outside the chroot jail, then you should upgrade as soon as possible. The 2.2.0 release of rssh fixed the problem in question, but was mistakenly released missing some code for parsing per-user options. The 2.2.1 release corrects that problem, and should be the final release of rssh. No further development is planned. You can get the latest release of rssh here: http://www.pizzashack.org/rssh/ Thanks for using rssh! -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D Reproducible: Always Steps to Reproduce: jaervosz@gentoo.org 2004-06-22 09:34:09 0000 bumping the ebuild to 2.2.1 seems to do the trick. jaervosz@gentoo.org 2004-06-22 09:36:53 0000 A bit early to CC arches, CC'ing maintainers instead. Please bump. vapier@gentoo.org 2004-06-22 16:25:47 0000 version bumped and i tested it on my x86/ppc/sparc just need the GLSA evert.gentoo@planet.nl 2004-06-23 05:10:13 0000 Created an attachment (id=33941) mk_rssh_chroot_jail.sh A bit out of subject, but I created a script which can be used to create a chroot jail on gentoo and I'd like to share this... jaervosz@gentoo.org 2004-06-23 05:18:22 0000 Closing without GLSA. Evert please open a new bug for the script. 33941 2004-06-23 05:10 0000 mk_rssh_chroot_jail.sh mk_rssh_chroot_jail.sh application/octet-stream IyEvYmluL2Jhc2gKCiMgcHJvZ3MKUlNTSD0vdXNyL2Jpbi9yc3NoClNDUD0vdXNyL2Jpbi9zY3AK U0ZUUF9TRVJWRVI9L3Vzci9saWIvbWlzYy9zZnRwLXNlcnZlcgoKIyBsaWJzCkxJQlM9YChsZGQg JFNDUCAkU0ZUUF9TRVJWRVIgfGF3ayAne3ByaW50ICQzfScKICAgICAgIGxzIC9saWIvbGlibnNz X3tjb21wYXQsZmlsZXMsbmlzfS5zby4yKSB8c29ydCAtdWAKTERfU089YGxzIC9ldGMvbGQuc28u Y2FjaGVgCgojIHBhc3N3ZApQQVNTV0Q9Jy9ldGMvcGFzc3dkJwoKWyAkIyAtbmUgMSBdICYmIGVj aG8gInVzYWdlOiAkMCA8Y2hyb290IGphaWwgZGlyZWN0b3J5PiIgJiYgZXhpdCAxCkpBSUw9IiR7 MSUvfSIKWyAhIC14ICIkUlNTSCIgXSAmJiBlY2hvICIkUlNTSDogTm8gc3VjaCBleGVjdXRhYmxl IiAmJiBleGl0IDEKWyAhIC1kICIkSkFJTCIgXSAmJiBlY2hvICIkSkFJTDogTm8gc3VjaCBkaXJl Y3RvcnkiICYmIGV4aXQgMQpbIC1kICRKQUlML2xpYiAtYSAhIC1mICRKQUlML2xpYi8ucnNzaF9j aHJvb3RfamFpbCBdICYmIFwKICBlY2hvICIkSkFJTC9saWIgYWxyZWFkeSBleGlzdHMgYW5kIGlz IG5vdCBjcmVhdGVkIGJ5IHRoaXMgc2NyaXB0IiAmJiBleGl0IDEKCiMgYWxsb3cgcnNzaCBmb3Ig bG9naW4gc2hlbGxzCmdyZXAgLXEgJFJTU0ggL2V0Yy9zaGVsbHMgfHwgZWNobyAkUlNTSCA+Pi9l dGMvc2hlbGxzCgojIChyZSljcmVhdGUgY2hyb290IGphaWwKcm0gLXJmICRKQUlML3tsaWIsdXNy LGV0YyxkZXZ9CmZvciBTWVNGSUxFIGluICRTQ1AgJFNGVFBfU0VSVkVSIFwKICAgICAgICAgICAg ICAgJExJQlMgJExEX1NPICRQQVNTV0Q7IGRvCiAgU1lTRElSPWBkaXJuYW1lICRTWVNGSUxFYAog IFsgLWQgJEpBSUwkU1lTRElSIF0gfHwgbWtkaXIgLXAgJEpBSUwkU1lTRElSCiAgY3AgLXAgJFNZ U0ZJTEUgJEpBSUwkU1lTRklMRQpkb25lCm1rZGlyIC1wICRKQUlML2Rldgp0b3VjaCAkSkFJTC9s aWIvLnJzc2hfY2hyb290X2phaWwKCmVjaG8gJ3JlbWVtYmVyIHRvIHJlLXJ1biB0aGlzIHNjcmlw dCBmb3IgZXZlcnkgbmV3IG9wZW5zc2ggaW5zdGFsbGF0aW9uIScK