mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyor Goldstein <lgoldst...@apache.org>
Subject Re: commands filter
Date Mon, 08 Apr 2019 18:26:09 GMT
>>  is it possibleto filter remote commands, i.e.  I want to reject to
execute some dangerous commands like "rm"

Seems relatively straightforward - since you are a proxy, then I assume you
present your "server" face to the potential clients whose dangerous
commands you want to filter. There are actually 2 command "paths" that can
pass through your proxy facade:

* A single command - as an EXEC channel - easy to handle -  you register a
CommandFactory and examine the command you are asked to execute. If it is
deemed "dangerous" then you can close the channel, or return an error exit
code - whatever. Note that this cannot prevent execution of aliases of
dangerous commands or scripts that contain dangerous commands in them

* As a SHELL channel - this is a bit trickier - what you have to do is to
intercept the STDIN and examine the commands before you pass them on to the
real shell for execution. The problem here is more complex since the savvy
user can ask to execute a script instead of a command, and embed the
dangerous commands in the script.

Hope this helps.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message