Topic: Bug discovered
# /bin/MySecureShell.1.31 --version
MySecureShell is version 1.31 build on Feb 24 2013
Options:
ACL support: yes
UTF-8 support: yes
Sftp Extensions:
Disk Usage
Disk Usage (OpenSSH)
File Hashing
# cat /etc/issue
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
Relevant data from /var/log/sftp-server.log:
2013-04-25 17:00:28 [25227]New client [userone] from [192.168.1.171]
2013-04-25 17:00:29 [25227][userone][192.168.1.171]Start download file '/CURR/89148580_20130424_143542.pdf'
2013-04-25 17:00:29 [25227][userone][192.168.1.171]End download file '/CURR/89148580_20130424_143542.pdf' : 100%
....
2013-04-25 17:00:37 [25227][userone][192.168.1.171]Start download file '/CURR/89151035_20130424_151219.pdf'
2013-04-25 17:00:37 [25292]New client [anotheruser] from [192.168.5.42]
2013-04-25 17:00:37 [25227][userone][192.168.1.171]End download file '/CURR/89151035_20130424_151219.pdf' : 100%
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151147_20130424_151346.pdf'
2013-04-25 17:00:38 [25227][userone][192.168.1.171]End download file '/CURR/89151147_20130424_151346.pdf' : 100%
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151228_20130424_151503.pdf'
2013-04-25 17:00:38 [25292][anotheruser][192.168.5.42]Try to remove file '/CURR/SYSTEM_ITEMS.xml' : success
2013-04-25 17:00:38 [25227][userone][192.168.1.171]End download file '/CURR/89151228_20130424_151503.pdf' : 100%
2013-04-25 17:00:38 [25292][anotheruser][192.168.5.42]Start upload into file '/CURR/SYSTEM_ITEMS.xml'
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151374_20130424_151709.pdf'
2013-04-25 17:00:39 [25227][anotheruser][192.168.5.42]End download file '/CURR/89151374_20130424_151709.pdf' : 100%
2013-04-25 17:00:39 [25292][anotheruser][192.168.5.42]End upload into file '/CURR/SYSTEM_ITEMS.xml'
2013-04-25 17:00:40 [25292][anotheruser][192.168.5.42]Quit.
2013-04-25 17:00:40 [25227][anotheruser][192.168.5.42]Quit.
Pay attention how user "anotheruser" with PID 25292 hijacking session of "userone" with PID 25227.
Bug reproducible. Give "mget *" for userone for a lot of (not so big) files. Bomb with various small transactions with anotheruser.
trace -feopen for /bin/MySecureshell of userone show how user home (jail) switching from userone to anotheruser , therefore rest of mget failed with no such file.
Anyway, great software with no alternatives.