On Fri, 27 Apr 2007 15:14:32 -0500 Marco Peereboom <[EMAIL PROTECTED]> wrote:
> On Fri, Apr 27, 2007 at 09:08:31PM +0200, Rico Secada wrote: > > On Fri, 27 Apr 2007 13:27:58 -0500 > > Marco Peereboom <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > On Fri, Apr 27, 2007 at 08:17:16PM +0200, Rico Secada wrote: > > > > On Fri, 27 Apr 2007 10:30:03 -0700 > > > > "Ted Unangst" <[EMAIL PROTECTED]> wrote: > > > > > > > > > On 4/27/07, Rico Secada <[EMAIL PROTECTED]> wrote: > > > > > > On Thu, 26 Apr 2007 22:34:52 -0500 > > > > > > Marco Peereboom <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > What's the point again? > > > > > > > > > > > > What part didn't you understand? > > > > > > > > > > why are you asking this list about somebody else's patch? > > > > > > > > Because I was looking for people using OpenBSD who might have issues > > > > with > > > > this patch. > > > > > > If this was a good idea don't you think someone who is actually involved > > > in OpenSSH code would have done this already? > > > > Do you think that because nobody from the OpenBSD devs has done it, that > > means its not a good idea? If thats the case you don't much about how > > the work is done. > > Obviously this has been discussed. > > > > > There is a lot of good ideas, but only so many people and resources > > to get the job done. > > This is not a good idea since all you are trying to do can be done with > the standard OS tools already. > > > > > Now that you are asking, the patch and the idea behind the patch is very > > good. If used in combination with SSHfs it serves a very specifik purpose. > > And why can't you do this with the standard tools that come with the OS? > > You know, like chown and chgrp? Jailing somebody means that the person wont be able to go outside the jail, now what you are talking about doesn't provide that. We have been using that solution but it has provided some problems. > A jail will NOT have any additional benefit. Yes it will. > > > > A lot of people, including our company - who are providing support > > to the developement of OpenBSD, has been wanting to be able both > > to jail users who only need scp/sftp, and also prevent them from SSH in, > > now this can be done with a sftp-server shell, but jailing without > > trouble hasn't been possible, forcing other solutions less purposefull > > solutions. > > Allowing ssh/sftp will by default enable the would be attacker to employ > local attacks. If there is a local exploit available the box will be > rooted; no jail in the world will save you. Now.. 1. Exploiting the box has absolutely nothing to do with this discussion! 2. Jailing the user is from a practical specific point of view but you have to know the exact setup before you would understand the issue. 3. What are you talking about - local attacks? > There is no benefit and the code is more complex. Wrong and wrong. But lets not go there now. > > > > If you really understand and know that this is a bad idea, perhaps you > > wouldn't mind sharing that knowledge with the rest? Thats why I asked in > > the first place. > > If I have access to a machine and I can upload files all bets are off. > All local exploits are now available; jailing will not make any > difference. > > > > > > > > > > > > ask the somebody else if their patch works. > > > > > > > > If I could benefit from that, I would.
