On Mon, Feb 19, 2007 at 07:26:07PM +1000, David Leonard wrote:
> note that users can bypass your sftp-server log levels. e.g. by
> supplying the -s option to sftp with the full path to the sftp-server
> executable. However, they can supply their own logging levels, which
> can be handy, eg
>
> $ sftp -s '/usr/libexec/sftp-server -lDEBUG -fDAEMON' remote-host
That's a good point. If it matters and they only need sftp access you
can use something like
Match Group sftpusers
ForceCommand /usr/libexec/sftp-server -l [...]
Once a user has shell access they can transfer files using pretty
much anything (tar, cat, grep, or anything they can install if they
have a writable directory).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|