bugzilla-daemon at mindrot.org
2004-Mar-03 02:05 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805
Summary: scp-ing using a regular user created files in ROOT
directory which was NOT writable for that user
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: scp
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: wim.delvaux at adaptiveplanet.com
Command :
scp SomeLocalFile USER at Host:/ # in fact the / was a type-o
Password for USER was given and entered
File was created .. under root of HOST . However ls -la of that ROOT directory
showed
755 rights and owned by root. So USER is NOT allowed to write files there.
This can mean that any user can copy a file over the vmlinux kernel
This is a SEVER error.
I do not know if other versions of ssh/scp are affected. My version is 2.6.1P2
(Debian
SID)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-03 02:13 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From mouring at eviladmin.org 2004-03-03 13:13 ------- yume:~ mouring$ scp x mouring at SITE:/ Enter passphrase for key '/Users/mouring/.ssh/id_rsa': scp: /x: Permission denied yume:~ mouring$ ssh -V OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f I can't replicate this with Apple ssh (which is OpenSSH Portable + GSSAPI + security patches). Plus somehow I doubt this bug is even valid since the remote 'scp' is ran as USER@ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-03 02:16 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From tim at multitalents.net 2004-03-03 13:16 ------- tim at uw713-UnixWare 210% ls -ld / drwxr-xr-x 47 root sys 4096 Feb 26 03:26 / tim at uw713-UnixWare 211% scp /tmp/x tim at localhost:/ tim at localhost's password: scp: /x: Permission denied tim at uw713-UnixWare 212% ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f tim at uw713-UnixWare 213% tim at ibm365 52% Can't duplicate here. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-03 02:42 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From djm at mindrot.org 2004-03-03 13:42 ------- Can you recreate with OpenSSH 3.8p1? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-03 03:17 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From dtucker at zip.com.au 2004-03-03 14:17 ------- Debian uses PAM by default, maybe it's a PAM-specific thing? Wim, please record the output of "scp -vvv SomeLocalFile USER at Host:/; ssh USER at Host ls -l /SomeLocalFile" and use "Create a New Attachment" to attach it to this bug. Also, if the bug is with the Debian-supplied package, have you reported it to Debian? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-30 10:56 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From cjwatson at debian.org 2004-03-30 20:56 ------- On Debian with ssh 3.8p1-2: [cjwatson at cairhien ~]$ ls -l foo -rw-r--r-- 1 cjwatson cjwatson 0 Mar 30 11:30 foo [cjwatson at cairhien ~]$ ls -ld / drwxr-xr-x 23 root root 4096 Mar 22 02:47 / [cjwatson at cairhien ~]$ scp foo cjwatson at localhost:/ scp: /foo: Permission denied I can't think of anything PAM-related that might cause this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-30 11:27 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
------- Additional Comments From dtucker at zip.com.au 2004-03-30 21:27 -------
Since none of us can reproduce this, without the debugging info there's
nothing
else we can do. Please reopen if you have the debugging to attach. (Thanks
Colin).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Mar-30 12:17 UTC
[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user
http://bugzilla.mindrot.org/show_bug.cgi?id=805 ------- Additional Comments From markus at openbsd.org 2004-03-30 22:17 ------- i've seen people installing scp setuid root. then things like this happen. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.