bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-02 05:03 UTC
[Bug 1679] New: chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Summary: chroot and shell check ambiguity Product: Portable OpenSSH Version: 5.3p1 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: alex at rtfs.hu Created an attachment (id=1737) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1737) Initial patch OpenSSH will fail in a scenario where the server is configured with chroot and a shell used by a user is not available outside, just inside the chroot. The reason behind this is that ssh checks whether the given shell is a file and is executable, but this check doesn't takes the chroot path into account. I also attach an initial patch diffed against CVS (checked out few minutes ago), which I am not happy with but it can stand here as a record. I copied the chroot part from session.c -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-04 01:21 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Alex Beregszaszi <alex at rtfs.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1737|0 |1 is obsolete| | --- Comment #1 from Alex Beregszaszi <alex at rtfs.hu> 2009-12-04 12:21:29 EST --- Created an attachment (id=1738) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1738) Initial patch Attached a wrong patch first. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-04 02:13 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |1626 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13 12:26 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 --- Comment #2 from Damien Miller <djm at mindrot.org> 2010-01-13 23:25:59 EST --- Created an attachment (id=1777) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1777) /home/djm/auth-check-chroot-shell.diff tweaked patch -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13 12:28 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 --- Comment #3 from Damien Miller <djm at mindrot.org> 2010-01-13 23:28:13 EST --- Created an attachment (id=1778) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1778) /home/djm/auth-check-chroot-shell.diff oops, patch without tabs vs. space issues -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13 12:28 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1778| |ok?(dtucker at zip.com.au) Flag| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13 12:35 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1778|ok?(dtucker at zip.com.au) |ok+ Flag| | --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2010-01-13 23:35:44 EST --- (From update of attachment 1778)>+ strcasecmp(options.chroot_directory, "none") != 0) {Do we do case-insensitive matches on "none"? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13 23:50 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 --- Comment #5 from Damien Miller <djm at mindrot.org> 2010-01-14 10:50:29 EST --- (In reply to comment #4)> (From update of attachment 1778 [details]) > >+ strcasecmp(options.chroot_directory, "none") != 0) { > > Do we do case-insensitive matches on "none"?We are inconsistent already, I'll send a diff to use case-insensitive comparisons everywhere. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-14 00:02 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #6 from Damien Miller <djm at mindrot.org> 2010-01-14 11:02:05 EST --- (In reply to comment #4)> (From update of attachment 1778 [details]) > >+ strcasecmp(options.chroot_directory, "none") != 0) { > > Do we do case-insensitive matches on "none"?This is consistent with the other match against "none" for chrootdirectory, but in general we are not consistent in matching :( Anyway, patch applied - this will be in OpenSSH 5.4 - thanks for the report and patch! -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:50 UTC
[Bug 1679] chroot and shell check ambiguity
https://bugzilla.mindrot.org/show_bug.cgi?id=1679 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Darren Tucker <dtucker at zip.com.au> 2010-03-26 10:50:45 EST --- With the release of 5.4p1, this bug is now considered closed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.