scponly: Multiple privilege escalation issues
Gentoo Linux Security Advisory
||GLSA 200512-17 / scponly
||December 29, 2005
||May 22, 2006: 02
||local and remote
All supported architectures
Local users can exploit an scponly flaw to gain root privileges, and
scponly restricted users can use another vulnerability to evade shell
scponly is a restricted shell, allowing only a few predefined commands.
It is often used as a complement to OpenSSH to provide access to remote
users without providing any remote execution privileges.
Max Vozeler discovered that the scponlyc command allows users to chroot
into arbitrary directories. Furthermore, Pekka Pessi reported that
scponly insufficiently validates command-line parameters to a scp or
A local attacker could gain root privileges by chrooting into arbitrary
directories containing hardlinks to setuid programs. A remote scponly
user could also send malicious parameters to a scp or rsync command
that would allow to escape the shell restrictions and execute arbitrary
There is no known workaround at this time.
All scponly users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/scponly-4.2"