Debian Bug report logs - #708419
openssh-client: ssh-copy-id can "rm -f *" if mktemp fails

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-client: ssh-copy-id leads to rm -f * (local vs. dash)

Date: Wed, 15 May 2013 18:57:58 +0200

Package: openssh-client
Version: 1:6.2p1-1
Severity: serious
Tags: upstream
Justification: leads to data loss

Hi,

ssh-copy-id uses "local" while pretending to be POSIX compliant (/bin/sh
as a shebang). Unfortunately, lack of error handling meands that this
isn't caught:
  local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
  trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT

mktemp succeeds but dash doesn't like local:
| $ dash
| $ local foo=bar
| dash: 1: local: not in a function
| $ echo $foo
| 
| $ 

Which leads to:
  rm -f *

=> Nasty!

Traced back to 1:6.2p1-1 due to:
     - Update ssh-copy-id to Phil Hands' greatly revised version
       (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).

(Tagging "upstream" as it's also mention in upstream's ChangeLog.)

debdiffing both 6.1p1-4 and 1:6.2p1-1 confirms that the regression
was introduced in the latter (there was no "local" before).

Mraw,
KiBi.

Message #10 received at 708419@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Cyril Brulebois <kibi@debian.org>, 708419@bugs.debian.org

Subject: Re: Bug#708419: openssh-client: ssh-copy-id leads to rm -f * (local vs. dash)

Date: Wed, 15 May 2013 18:15:24 +0100

Control: forwarded -1 https://bugzilla.mindrot.org/show_bug.cgi?id=2105

On Wed, May 15, 2013 at 06:57:58PM +0200, Cyril Brulebois wrote:
> ssh-copy-id uses "local" while pretending to be POSIX compliant (/bin/sh
> as a shebang). Unfortunately, lack of error handling meands that this
> isn't caught:
>   local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
>   trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT
> 
> mktemp succeeds but dash doesn't like local:
> | $ dash
> | $ local foo=bar
> | dash: 1: local: not in a function
> | $ echo $foo
> | 
> | $ 
> 
> Which leads to:
>   rm -f *
> 
> => Nasty!
> 
> Traced back to 1:6.2p1-1 due to:
>      - Update ssh-copy-id to Phil Hands' greatly revised version
>        (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).
> 
> (Tagging "upstream" as it's also mention in upstream's ChangeLog.)
> 
> debdiffing both 6.1p1-4 and 1:6.2p1-1 confirms that the regression
> was introduced in the latter (there was no "local" before).

Forwarded upstream, thanks.  However, I think you may have misdiagnosed
this due to the way you tested it; 'local' works just fine in dash if
it's inside a function, as it is in ssh-copy-id:

  $ dash
  $ populate_new_ids() {
  >   local foo=bar
  >   echo $foo
  > }
  $ populate_new_ids
  bar
  $ 

Maybe mktemp failed in some other way.  Did ~/.ssh exist before running
this command?  mktemp won't create leading directories.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #17 received at 708419@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Colin Watson <cjwatson@debian.org>

Cc: 708419@bugs.debian.org

Subject: Re: Bug#708419: openssh-client: ssh-copy-id leads to rm -f * (local vs. dash)

Date: Wed, 15 May 2013 19:51:05 +0200

[Message part 1 (text/plain, inline)]

Colin Watson <cjwatson@debian.org> (15/05/2013):
> Forwarded upstream, thanks.  However, I think you may have misdiagnosed
> this due to the way you tested it; 'local' works just fine in dash if
> it's inside a function, as it is in ssh-copy-id:
> 
>   $ dash
>   $ populate_new_ids() {
>   >   local foo=bar
>   >   echo $foo
>   > }
>   $ populate_new_ids
>   bar
>   $ 

That part was a bit too quick (on my way out), but I'm pretty certain
the rm -f came from ssh-copy-id (I started with a strace -f, and PIDs
confirm this).

> Maybe mktemp failed in some other way.  Did ~/.ssh exist before running
> this command?  mktemp won't create leading directories.

IIRC (I don't have the machine or the logs handy), mktemp succeeded.

I'll try to instrument that tomorrow with the coworker who suffered
this.

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 708419@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Colin Watson <cjwatson@debian.org>

Cc: 708419@bugs.debian.org

Subject: Bug#708419: openssh-client: ssh-copy-id can "rm -f *" if mktemp fails

Date: Wed, 15 May 2013 20:00:02 +0200

[Message part 1 (text/plain, inline)]

Control: retitle -1 openssh-client: ssh-copy-id can "rm -f *" if mktemp fails

Colin Watson <cjwatson@debian.org> (15/05/2013):
> Maybe mktemp failed in some other way.  Did ~/.ssh exist before running
> this command?  mktemp won't create leading directories.

OK, trying locally, adding "echo" before the two "rm" (see both lines
with "trap"), and moving ~/.ssh away, I'm getting a mktemp failure,
and "echo rm" prints all the files which would be otherwise deleted.

Running ssh-copy-id from the wrong machine can lead to such an ENOENT
issue; running with the wrong user, or with wrong permissions
(e.g. after a reinstall/restoration from a backup), EPERM is another
likely cause.

Sorry for jumping to the wrong cause, but the conclusion stands.

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 708419-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 708419-close@bugs.debian.org

Subject: Bug#708419: fixed in openssh 1:6.2p2-1

Date: Thu, 16 May 2013 13:33:13 +0000

Source: openssh
Source-Version: 1:6.2p2-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 708419@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 May 2013 14:05:06 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.2p2-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 708275 708419
Changes: 
 openssh (1:6.2p2-1) unstable; urgency=low
 .
   * New upstream release (http://www.openssh.com/txt/release-6.2p2):
     - Only warn for missing identity files that were explicitly specified
       (closes: #708275).
     - Fix bug in contributed contrib/ssh-copy-id script that could result in
       "rm *" being called on mktemp failure (closes: #708419).
Checksums-Sha1: 
 794ba4b5229d1626af4a873b421d4961590d6032 2571 openssh_6.2p2-1.dsc
 c2b4909eba6f5ec6f9f75866c202db47f3b501ba 1182922 openssh_6.2p2.orig.tar.gz
 e825ac0931eaa0c67152aa8a2d9e841d0fae64eb 253166 openssh_6.2p2-1.debian.tar.gz
 928afd6d5b43dc0530dc3da62850ae9c7fccd5ce 1082484 openssh-client_6.2p2-1_i386.deb
 b693680a48fc250b7ed23da97a5cc210ecb9f7d9 361336 openssh-server_6.2p2-1_i386.deb
 2ca3eefd60ae6f01b50b863e8918e417ce7bcd50 1252 ssh_6.2p2-1_all.deb
 c05b684d261c13cf7bca276a5d18d7de25b7268d 102644 ssh-krb5_6.2p2-1_all.deb
 593d9140c35ffa813ac85e4d69d7bb3f4efdc6b7 110516 ssh-askpass-gnome_6.2p2-1_i386.deb
 e062b973b9767944013f50c818da6e7aca37adc9 183002 openssh-client-udeb_6.2p2-1_i386.udeb
 0f4dc77f03cded3f0270de8f5124d1ff6a50f01b 208336 openssh-server-udeb_6.2p2-1_i386.udeb
Checksums-Sha256: 
 5b81f3e5e61521139771a484fecf815f4dee400e6342abf2584749aa9717c34f 2571 openssh_6.2p2-1.dsc
 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b 1182922 openssh_6.2p2.orig.tar.gz
 10215caabdb6284c3ea1794aca87db347e05398622a7ba7114dca45b2d515a50 253166 openssh_6.2p2-1.debian.tar.gz
 1a6d531323e83e82abb317ddb3465e4fda48919f55c48f591a44714d6366e8ea 1082484 openssh-client_6.2p2-1_i386.deb
 322b96c9d92b0863576ba9fc37ee67e2441d8d856a12e9288fe0c12c607fc3ef 361336 openssh-server_6.2p2-1_i386.deb
 ecf99d042011217d1372298340661804d2c60e1612b407609894b91746afc052 1252 ssh_6.2p2-1_all.deb
 e23d9c2f96bb09aa040a58ab601714f33a033e7eeae08cdeb177713e1926645d 102644 ssh-krb5_6.2p2-1_all.deb
 6e5d6c9840d92e08ddc4a858287535566131165224cefa0e987bf932ffb12655 110516 ssh-askpass-gnome_6.2p2-1_i386.deb
 fcaf21732a10d32b2a5a2cf811711c6aec35ea069eb03fa37712d38c279c0bc7 183002 openssh-client-udeb_6.2p2-1_i386.udeb
 80002bb0a6869d795ad51d7ff51fb60bec6bc1daa35214daeaf595d227caa02f 208336 openssh-server-udeb_6.2p2-1_i386.udeb
Files: 
 069902610d4f64b5963ec87a5b0ede77 2571 net standard openssh_6.2p2-1.dsc
 be46174dcbb77ebb4ea88ef140685de1 1182922 net standard openssh_6.2p2.orig.tar.gz
 56584350fd63c3df0a55f1567de2b729 253166 net standard openssh_6.2p2-1.debian.tar.gz
 9ab22767ac85a970c5cb1922e23d1a44 1082484 net standard openssh-client_6.2p2-1_i386.deb
 d8e21f5f42e149d6679af2a32adc6f10 361336 net optional openssh-server_6.2p2-1_i386.deb
 7758d29ffb134597c6e243c0414a780d 1252 net extra ssh_6.2p2-1_all.deb
 6865e1cef4bcbb9534e451d019a15519 102644 oldlibs extra ssh-krb5_6.2p2-1_all.deb
 fe0c55e90825a3a9e8f14c4a7a33df5c 110516 gnome optional ssh-askpass-gnome_6.2p2-1_i386.deb
 f559ed171df45818b0ead0a368291075 183002 debian-installer optional openssh-client-udeb_6.2p2-1_i386.udeb
 fdca32b4c5ca02815b0ff4da21dceddf 208336 debian-installer optional openssh-server-udeb_6.2p2-1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUZTbHzk1h9l9hlALAQgAfRAAnO75/ReBARQMFOjSRYZXMIfUXXhUzQmj
YlWeoy7HhLmlZdJOJSOHenAEGYzeW3w4CnRyseUQFhLXnfsIkNPVVORTlErNuPAa
9veI7u6hG3XOSvkmEl6gLCA0Rjir4IhGBaw9Q8TRfqmys8PW1U6xtiSc34MZXaXJ
SXeFZon2/PqkJ59/FHGtNKfCzlELnHQV2tgnuadvc1TGGgziBtHM4KJRO623EXIs
brGPbP8loIXac7s2tx2eJLwIzXQxbNDWrVW9l2gum/D56b3mPLdezwKndH+7eMOG
LrLVNcTrjfIyZuvX2FpMOEmxmsalyf0iOU77dOFqufAJVTiyMaE0Y535alPu/V9J
OXlXJ7c0n2gDlA/bHTlfwoYSlj1xog9dRiMma6Tw3REU1BztM5SK9po1mw0XpnEr
Hu7XtrtvE5m/ai/fjvPekULJC/XD/OIhKwGl6qWWbEHE0Yr/8L3NN/zwIheDHxmj
nggAtZw7M2VmFo5wq+3FYVt5zHM3GP9fnuDLFTzPEr7EGDZMpgAyjiQi09LfG/Zb
EcUQn1ELJysDGwa0XK6zrYJXqaFxZHuMlW/IZ61aydbnrErWTQxGnVsFvCutPUrt
XT2n3sTqH9DB9zG4wFNvXCPEKvLPhJ8Emr34YRFuxjjYi9ro4QEtWr/ZHc+Pfm3O
a9nVnjihHGw=
=HFV1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.