Re: REQ: SSH behaviour dependent from the connecting client

On Fri, Sep 10, 2004 at 09:16:40AM -0500, MBuselli@cccis.com wrote:
> Personally, if I were to need this functionality I'd modify the SSHD source
> to make the shell switch at the exec(2) call, and then try to make the
> behavior possible through a new option to sshd_config so I could send diffs
> back to the OpenSSH team--making the change permanent in future versions of
> SSHD.  

I think everything but the chroot functionality could be done with a
custom restricted shell that execs other commands or shells as needed.

Limiting a user to sftp and/or scp is basically a matter of writing a 
"shell" that accepts commands with -c but ignores all but a few
commands, and runs them with hard-wired paths.

Doing a chroot requires being root. One might do that as a non-root
userid with a setuid root helper, executable only by a certain group.

But getting and dropping the required group permissions in a secure way 
could be tricky too.

I suppose the whole wrapper shell could be setuid root. From a security
viewpoint this should make you nervous: but if root privs are dropped
as soon as possible, and interrupts are checked, and the environment
is sanitized, I guess it could work.

(A security risk you have to model is what if your own users exec
the special shells/helpers: can they gain privs that way?)

It does seem more straightforward to do some of this work in sshd, before
the exec of the user's shell, while the code is still running as root.