Debian Bug report logs - #581919
openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh.

Reported by: Vincent Danjean <vdanjean@debian.org>

Date: Mon, 17 May 2010 08:33:02 UTC

Severity: important

Found in version openssh/1:5.5p1-3

Fixed in version openssh/1:5.5p1-4

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Mon, 17 May 2010 08:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Danjean <vdanjean@debian.org>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 17 May 2010 08:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Danjean <vdanjean@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Mon, 17 May 2010 10:31:01 +0200
Package: openssh-server
Version: 1:5.5p1-3
Severity: important

  Hi,

  Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-client and permission chechs for $HOME/.ssh/config.
The fix for this bug should probably be similar.

  Here is a example of the problem:
On 15/05/2010 03:12, Joey Hess wrote:
> > Vincent Danjean wrote:
>> >> I'm happy with this move. However, there is still an interaction with ssh
>> >> to deal with:
>> >> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
>> >> vdanjean@eyak:~$ ssh localhost
>> >> vdanjean@localhost's password:
>> >> And, in /var/log/auth.log:
>> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys
>> >>
>> >> vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
>> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
>> >> vdanjean@eyak:~$ ssh localhost
>> >> You have mail.
>> >> Last login: Tue May 11 17:10:30 2010
>> >> vdanjean@eyak:~$
>> >>
>> >> My system is in UPG but I was using default umask 022
> > 
> > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3.
> > See #314347. It was changed to allow group-writable files if
> > the owner is the only member in the group.
Somethink is wrong here. Should 314347 be reopened ?

vdanjean@eyak:~$ LC_ALL=C apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.5p1-3
  Candidate: 1:5.5p1-3
  Version table:
 *** 1:5.5p1-3 0
        500 http://ftp.fr.debian.org unstable/main Packages
        500 http://ftp.fr.debian.org testing/main Packages
        100 /var/lib/dpkg/status
     1:5.1p1-5 0
        500 http://ftp.fr.debian.org stable/main Packages
     1:4.3p2-9etch3 0
        500 http://ftp.fr.debian.org oldstable/main Packages
vdanjean@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean'
vdanjean:x:1000:
vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash
vdanjean@eyak:~$

  Regards,
    Vincent

-- System Information:
Debian Release: squeeze/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.7.1         Debian package management system
ii  libc6                   2.11-0exp6       Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.11-1        common error description library
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.1+dfsg-2     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-3          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-3          Runtime support for the PAM librar
ii  libpam0g                1.1.1-3          Pluggable Authentication Modules l
ii  libselinux1             2.0.94-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  libwrap0                7.6.q-18         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.1         Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-3        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-9 under X, asks user for a passphras
pn  ufw                          <none>      (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Mon, 17 May 2010 16:36:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 17 May 2010 16:36:15 GMT) Full text and rfc822 format available.

Message #10 received at 581919@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Mon, 17 May 2010 18:32:51 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2010-05-17 at 10:31 +0200, Vincent Danjean wrote:
>   Base-files package just switched to umask 002 by default for new install
> (see #248140 and discussion in d-devel). However, with this setup,
> openssh-server babdly behave. It is similar to #314347 that was opened
> for openssh-client and permission chechs for $HOME/.ssh/config.
> The fix for this bug should probably be similar.
So do you suggest that also group-readable/writable authorized_keys
files should be accepted by openssh?

You probably know that I was already one of the strong opponents of the
recent umask changes,... but this would go really to far.

It's not guaranteed that a system uses UPGs (old systems) neither that a
user will keep this setup (new systems).

Requiring special permissions for some files was done for good reason.
Debian shouldn't completely drop security just for awkward user/group
setups.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Sat, 22 May 2010 18:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sat, 22 May 2010 18:57:06 GMT) Full text and rfc822 format available.

Message #15 received at 581919@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Vincent Danjean <vdanjean@debian.org>, 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Sat, 22 May 2010 19:53:36 +0100
On Mon, May 17, 2010 at 10:31:01AM +0200, Vincent Danjean wrote:
>   Base-files package just switched to umask 002 by default for new install
> (see #248140 and discussion in d-devel). However, with this setup,
> openssh-server babdly behave. It is similar to #314347 that was opened
> for openssh-client and permission chechs for $HOME/.ssh/config.
> The fix for this bug should probably be similar.

Thanks.  This is a new bug - #314347 hasn't regressed - but similar code
needs to be applied in a few more places.  I'll take care of this.

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Sat, 22 May 2010 18:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sat, 22 May 2010 18:57:08 GMT) Full text and rfc822 format available.

Message #20 received at 581919@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Sat, 22 May 2010 19:55:16 +0100
On Mon, May 17, 2010 at 06:32:51PM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2010-05-17 at 10:31 +0200, Vincent Danjean wrote:
> >   Base-files package just switched to umask 002 by default for new install
> > (see #248140 and discussion in d-devel). However, with this setup,
> > openssh-server babdly behave. It is similar to #314347 that was opened
> > for openssh-client and permission chechs for $HOME/.ssh/config.
> > The fix for this bug should probably be similar.
> 
> So do you suggest that also group-readable/writable authorized_keys
> files should be accepted by openssh?
> 
> You probably know that I was already one of the strong opponents of the
> recent umask changes,... but this would go really to far.
> 
> It's not guaranteed that a system uses UPGs (old systems) neither that a
> user will keep this setup (new systems).
> 
> Requiring special permissions for some files was done for good reason.
> Debian shouldn't completely drop security just for awkward user/group
> setups.

It's not completely dropping security.  If the user is the only member
of a group, then the group-writability confers no additional permissions
and it's OK to allow it.  Debian's openssh package has done this for
~/.ssh/config for some time and it's been fine - it's just a matter of
extending that.

Let's not over-exaggerate things.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]




Added tag(s) pending. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Sat, 22 May 2010 21:45:08 GMT) Full text and rfc822 format available.

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Sat, 22 May 2010 23:06:12 GMT) Full text and rfc822 format available.

Notification sent to Vincent Danjean <vdanjean@debian.org>:
Bug acknowledged by developer. (Sat, 22 May 2010 23:06:13 GMT) Full text and rfc822 format available.

Message #27 received at 581919-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 581919-close@bugs.debian.org
Subject: Bug#581919: fixed in openssh 1:5.5p1-4
Date: Sat, 22 May 2010 23:02:28 +0000
Source: openssh
Source-Version: 1:5.5p1-4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-4_i386.udeb
openssh-client_5.5p1-4_i386.deb
  to main/o/openssh/openssh-client_5.5p1-4_i386.deb
openssh-server-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-4_i386.udeb
openssh-server_5.5p1-4_i386.deb
  to main/o/openssh/openssh-server_5.5p1-4_i386.deb
openssh_5.5p1-4.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-4.debian.tar.gz
openssh_5.5p1-4.dsc
  to main/o/openssh/openssh_5.5p1-4.dsc
ssh-askpass-gnome_5.5p1-4_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-4_i386.deb
ssh-krb5_5.5p1-4_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-4_all.deb
ssh_5.5p1-4_all.deb
  to main/o/openssh/ssh_5.5p1-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 581919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 May 2010 23:37:20 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 579843 581697 581919
Changes: 
 openssh (1:5.5p1-4) unstable; urgency=low
 .
   [ Sebastian Andrzej Siewior ]
   * Add powerpcspe to architecture list for libselinux1-dev build-dependency
     (closes: #579843).
 .
   [ Colin Watson ]
   * Allow ~/.ssh/authorized_keys and other secure files to be
     group-writable, provided that the group in question contains only the
     file's owner; this extends a patch previously applied to ~/.ssh/config
     (closes: #581919).
   * Check primary group memberships as well as supplementary group
     memberships, and only allow group-writability by groups with exactly one
     member, as zero-member groups are typically used by setgid binaries
     rather than being user-private groups (closes: #581697).
Checksums-Sha1: 
 283186a3e3066519742aee9a15975da648c1fc2a 1701 openssh_5.5p1-4.dsc
 14cfb2428053dc8d6755ac1a32c4fa20343c1abd 234111 openssh_5.5p1-4.debian.tar.gz
 f018aee71a0717c169cae154e7eae86e53fc88e3 880568 openssh-client_5.5p1-4_i386.deb
 e2312d1016502ac77607074bcb724f400643531c 297554 openssh-server_5.5p1-4_i386.deb
 c1ec0b0986a49f3410ee7de8ae2e42427e667f46 1244 ssh_5.5p1-4_all.deb
 3c553288883174406bf0ab385bf66cd6be268b3d 95464 ssh-krb5_5.5p1-4_all.deb
 bf008581058e4079f3b5ce839fb3805ba82cd126 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 dd9aff4745bdb6b7f55de6546e220fcba6b2a013 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 84d707d8aa1c9345b142d107f9ac456139a35efe 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Checksums-Sha256: 
 5f42f3eb3944bda5d8216f369feb95e0fa9ec9a9271b0b9bf37b524f73485462 1701 openssh_5.5p1-4.dsc
 59fc5345a617f3f297d936829af759accc2a710d1de839bc8cdb54c9ee9bd5db 234111 openssh_5.5p1-4.debian.tar.gz
 7f3bca990542a5279a4c16932dbdc987009c5a5a48ee13694b68fe9fa7a00baf 880568 openssh-client_5.5p1-4_i386.deb
 b07228936408f37ecc9174f29b8512de53e9823ed91b6555c51b224b6b994a6d 297554 openssh-server_5.5p1-4_i386.deb
 b821fab4ad7fdfae2663c05df7640d0dc849c086b1e1d5c61c48b313f5fe970a 1244 ssh_5.5p1-4_all.deb
 13fd6e26e439cf57ccb729a70bf647207e7cff0e029ba0f87d462a2de65cffc8 95464 ssh-krb5_5.5p1-4_all.deb
 3fdefda53e550357f7d59fea51202adaf430a8ee9d21dee78b098f7472c79c15 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 d8bca821941b768c97d351968b8a212287822bf7b4ea83b8cc1fb6d15460e2aa 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 f17c9fe3f44fdd081cce9d8ceb69b3899dcbaf097af89f660dfe6ae26ce12556 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Files: 
 194ea11fdf4f582fb966ce2397d95a97 1701 net standard openssh_5.5p1-4.dsc
 dcb5e032b60d6bb881e59a71a1877916 234111 net standard openssh_5.5p1-4.debian.tar.gz
 f21db060ebafa8555a469431efc000aa 880568 net standard openssh-client_5.5p1-4_i386.deb
 6f4e54dd67c2978ad35fc2d4dd073688 297554 net optional openssh-server_5.5p1-4_i386.deb
 0107471a60de025600024b06498a7e0b 1244 net extra ssh_5.5p1-4_all.deb
 6a9debbb7c88fc0b897670d85348a714 95464 net extra ssh-krb5_5.5p1-4_all.deb
 3a6d65f3b7225db5b62c24497786395e 103064 gnome optional ssh-askpass-gnome_5.5p1-4_i386.deb
 9bf3ec427b8ac01e11a8a9a9acc0b0a8 193690 debian-installer optional openssh-client-udeb_5.5p1-4_i386.udeb
 02e23812f5cc38c9c875c0440b7aa573 218538 debian-installer optional openssh-server-udeb_5.5p1-4_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFL+F2e9t0zAhD6TNERAn1TAJ9rwlavocxyM1cYSgA4B5hQMWtnhgCdE5fR
nI9MxJLBX8mqHsaY/pvhXeg=
=m9C4
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Sun, 23 May 2010 01:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 23 May 2010 01:21:03 GMT) Full text and rfc822 format available.

Message #32 received at 581919@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Sun, 23 May 2010 03:16:56 +0200
[Message part 1 (text/plain, inline)]
On Sat, 2010-05-22 at 19:55 +0100, Colin Watson wrote:
> It's not completely dropping security.  If the user is the only member
> of a group, then the group-writability confers no additional permissions
> and it's OK to allow it.
Well I've read the code for the ~/.ssh/config changes,... I mean it
seems ok at least at a first glance,... but I think it's more or less
only a heuristic and I guess upstream has it's reasons to not merge
it...

And what happens if group memberships changes just during that code
part?


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Sun, 23 May 2010 06:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 23 May 2010 06:15:03 GMT) Full text and rfc822 format available.

Message #37 received at 581919@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Sun, 23 May 2010 07:10:26 +0100
On Sun, May 23, 2010 at 03:16:56AM +0200, Christoph Anton Mitterer wrote:
> On Sat, 2010-05-22 at 19:55 +0100, Colin Watson wrote:
> > It's not completely dropping security.  If the user is the only member
> > of a group, then the group-writability confers no additional permissions
> > and it's OK to allow it.
> 
> Well I've read the code for the ~/.ssh/config changes,... I mean it
> seems ok at least at a first glance,... but I think it's more or less
> only a heuristic and I guess upstream has it's reasons to not merge
> it...

Wrong reasons, yes.  I corrected a significant mistake in their
objection on the upstream bug and they never responded to that; and they
also don't think that it's important for this part of the system to work
by default (I assume that they don't use systems with user-private
groups).  I expect to continue carrying the patch since I am not
persuaded by their arguments.

> And what happens if group memberships changes just during that code
> part?

I don't see a reason to care.  Let's say that all but one user is being
removed from the group: now either the test fails, as it would have done
beforehand, or it passes, as it would do afterwards.  Since the test is
essentially just to protect the user from themselves, it doesn't matter
that it races against passwd/group file changes.

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#581919; Package openssh-server. (Sun, 23 May 2010 10:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 23 May 2010 10:03:06 GMT) Full text and rfc822 format available.

Message #42 received at 581919@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 581919@bugs.debian.org
Subject: Re: Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Date: Sun, 23 May 2010 10:59:30 +0100
On Sun, May 23, 2010 at 07:10:26AM +0100, Colin Watson wrote:
> On Sun, May 23, 2010 at 03:16:56AM +0200, Christoph Anton Mitterer wrote:
> > On Sat, 2010-05-22 at 19:55 +0100, Colin Watson wrote:
> > > It's not completely dropping security.  If the user is the only member
> > > of a group, then the group-writability confers no additional permissions
> > > and it's OK to allow it.
> > 
> > Well I've read the code for the ~/.ssh/config changes,... I mean it
> > seems ok at least at a first glance,... but I think it's more or less
> > only a heuristic and I guess upstream has it's reasons to not merge
> > it...
> 
> Wrong reasons, yes.  I corrected a significant mistake in their
> objection on the upstream bug and they never responded to that; and they
> also don't think that it's important for this part of the system to work
> by default (I assume that they don't use systems with user-private
> groups).  I expect to continue carrying the patch since I am not
> persuaded by their arguments.

Incidentally, don't take that the wrong way.  I respect upstream and for
the most part try to stay as close to them as I can (though the need to
carry the GSSAPI patch means there's something of a lower bound here).
But I also reserve my own judgement, particularly when problems
disproportionately affect Debian.

> > And what happens if group memberships changes just during that code
> > part?
> 
> I don't see a reason to care.  Let's say that all but one user is being
> removed from the group: now either the test fails, as it would have done
> beforehand, or it passes, as it would do afterwards.  Since the test is
> essentially just to protect the user from themselves, it doesn't matter
> that it races against passwd/group file changes.

A further and better reason is that only root can change group
memberships.  OpenSSH doesn't need to defend against attempts by root to
compromise their own system.

-- 
Colin Watson                                       [cjwatson@debian.org]




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 30 Jun 2010 07:32:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:08:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.