Disable Your SSH access accidentally with scp

8 comments

• chasil 2 minutes ago
  I have a few observations about this article.

  Generally, try not to use SCP. It has been a crufty old program from the Berkeley R-Utilities, but newer OpenSSH releases have rewritten it to use the SFTP server instead. There will be wildly different behavior between these implementations.

  The backend SCP changes are documented here:

  https://lwn.net/Articles/835962/

  If you need something that SFTP cannot do, then use tar on both sides.

  I also have an older rhel5 system where I am running tinysshd to use better SSH crypto. Due to upgrades, NFS is now squashing everything to nobody, so I had to disable precisely these checks to let users login with their authorized_keys. I can post the code if anybody is curious.
• impure 11 minutes ago
  Ah, file permissions. My old friend. Good thing this happened on a 'local' server and not a remote VPS.
• procaryote 38 minutes ago
  This is a useful tip!

  but also... who has a dir with 777 permissions? Is that something people do nowadays?

  [-]
  • chasil 11 minutes ago
    Well, everybody has 1777 as /tmp (with the sticky bit).

      $ ll -d /tmp
      drwxrwxrwt. 20 root root 4096 Mar  3 12:19 /tmp
      $ mkdir mytmp
      $ chmod 1777 mytmp
      $ ll -d mytmp
      drwxrwxrwt. 1 luser lgroup 0 Mar  3 12:19 mytmp
• zahlman 3 days ago
  I assume using `./*` rather than `.` in the `scp` command would have worked around the issue?
  [-]
  • malicka 21 minutes ago
    Yes, since it would’ve copied the globbed files, rather than the current directory itself.
• sowbug 56 minutes ago
  Related: In my Bash logout script I have a chmod that fixes authorized_keys. It won't help with scp because that's non-interactive, but it has helped the other 999 times I've forgotten to clean up the mess I made during an ssh session.
• crest 1 hour ago
  It's nice to see people sharing their mistakes too.
• roelschroeven 1 hour ago
  tl;dr: I you scp -r to your homedir, expect scp to copy not just files and directories but their permissions as well (which I think isn't all that surprising).
  [-]
  • ranger_danger 1 hour ago
    It's not supposed to do that unless it's newly creating the destination, or you supplied the -p flag to preserve permissions... that's what the entire issue is about; it's a bug that was fixed in 10.3.
• binaryturtle 2 hours ago
  When I load the site in my (slightly older) Firefox I just get some random junk and gibberish (markov chain generated nonsense?)

  <bleep> that nonsense!

  [-]
  • theblazehen 6 minutes ago
    I suspect you're hitting the page where they're running https://iocaine.madhouse-project.org/

    Perhaps you got bot flagged or something