Subject: Re: [Summer of code] Proposal : a Sftp server
To: None <tech-userlevel@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 06/16/2005 03:09:08
>> This is a client issue, not a server issue. ftpd no more loads your
>> shell than httpd does.
> Thank you for the education. Not to drift too far off topic, but now
> I'm completely baffled by why ftpd insists the user have a valid
> shell (item #3 under "User Authentication" on the ftpd man page).
Because someone "fixed" a non-problem the wrong way, and a bunch of
other people promptly mistook the "fix" for yet a third thing (ie,
neither a proper fix to the original "problem" nor what it actually
was).
Once upon a time, the shell was just another program, and you could
write your own and chsh to it. Very much in the Unix philosophy.
Then someone noticed that there was a security risk if you allowed
people to change their shells arbitrarily, because someone could create
files and directories such that, say, "/home/mouse/foo
teehee::0:0:Tee hee hee!:/:/bin/sh" (that's a newline in the string
between "foo" and "teehee") existed - chsh to that and poof! a new
record appears in /etc/passwd (this was before shadow passwords).
So, someone "fixed" this by creating /etc/shells and the
{set,get,end}usershell() routines and making chsh use them. This fix
was broken because: (1) it breaks the "shell is just another program"
paradigm; (2) it provides no way for an admin to provide any kind of
wildcard; (3) item 2 is unfixable because the API provides no way to
even *represent* a wildcard. (The right fix to the security hole, of
course, was to make chsh forbid shells whose names involved characters
with syntax meaning in /etc/passwd: newlines and colons. And if you
really do want a "valid shell" test, the right API paradigm is "is this
shell valid", not "iterate over all valid shells".)
Then various other people mistook "has a `valid' shell" for "is a real
full-fledged user of the system" and started throwing similar checks
into a bunch of other programs, like ftpd. This is broken even beyond
the brokennesses inherent in /etc/shells and ???usershell(), because it
assumes that exactly the same set of users should be permitted use of
each of the various services in question (an assumption that breaks in
both directions), and furthermore assumes that membership in that set
is equivalent to the user in question using a "blessed" shell.
The result is a horrible mess, and what you are seeing is just one of
the pieces of that mess.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B