Markus Friedl
2001-Apr-04 12:58 UTC
[follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication
the stat() on which file? On Wed, Apr 04, 2001 at 02:06:56PM +0200, Jan Just Keijser wrote:> hmmm, I found the problem and managed to fix it, but I am not sure if this > isn't broken: > > using gdb, I found that sshd fails to stat the 'authorized_keys' files, > which was in /local/home/janjust/.ssh/authorized_keys. Here were the > permissions for the directories and files leading to that file: > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > drwxr-s--- 3 root users 4096 Jan 18 11:24 /local/home > drwxr-sr-x 27 janjust users 4096 Apr 4 13:34 /local/home/janjust > drwx------ 2 janjust users 4096 Apr 4 13:12 > /local/home/janjust/.ssh > -rw------- 1 janjust users 1357 Jan 16 10:39 > /local/home/janjust/.ssh/authorized_keys > > the error that stat() returned is 'Permission denied'. After changing the > permissions to > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > drwxr-sr-x 3 root users 4096 Jan 18 11:24 /local/home > drwxr-sr-x 27 janjust users 4096 Apr 4 13:59 /local/home/janjust > drwx------ 2 janjust users 4096 Apr 4 13:12 > /local/home/janjust/.ssh > -rw------- 1 janjust users 1357 Jan 16 10:39 > /local/home/janjust/.ssh/authorized_keys > > (i.e. I changed the permissions on /local/home !) everything is working > fine. That's bizar, and I wonder where this is broken - not in OpenSSH > probably, more likely somewhere in glibc... > > comments, any one? > > TIA, > > JJK / Jan Just Keijser > Cisco Systems International BV
Jan Just Keijser
2001-Apr-04 13:09 UTC
[follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication
the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read to determine whether RSA authentications are allowed. My bet about what's happening is this: sshd runs as euid root, gid 0 auth-rsa.c switches to euid janjust, but does not change the egid using setegid() euid janjust, gid 0 does *NOT* have access to the directory /local/home with permissions 750 the stat() call walks down the path of the file and runs into this permission problem and bails out, even though the user would have access to directories and files below the troublesome /local/home directory. HTH, JJK Markus Friedl wrote:> the stat() on which file? > > On Wed, Apr 04, 2001 at 02:06:56PM +0200, Jan Just Keijser wrote: > > hmmm, I found the problem and managed to fix it, but I am not sure if this > > isn't broken: > > > > using gdb, I found that sshd fails to stat the 'authorized_keys' files, > > which was in /local/home/janjust/.ssh/authorized_keys. Here were the > > permissions for the directories and files leading to that file: > > > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > > drwxr-s--- 3 root users 4096 Jan 18 11:24 /local/home > > drwxr-sr-x 27 janjust users 4096 Apr 4 13:34 /local/home/janjust > > drwx------ 2 janjust users 4096 Apr 4 13:12 > > /local/home/janjust/.ssh > > -rw------- 1 janjust users 1357 Jan 16 10:39 > > /local/home/janjust/.ssh/authorized_keys > > > > the error that stat() returned is 'Permission denied'. After changing the > > permissions to > > > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > > drwxr-sr-x 3 root users 4096 Jan 18 11:24 /local/home > > drwxr-sr-x 27 janjust users 4096 Apr 4 13:59 /local/home/janjust > > drwx------ 2 janjust users 4096 Apr 4 13:12 > > /local/home/janjust/.ssh > > -rw------- 1 janjust users 1357 Jan 16 10:39 > > /local/home/janjust/.ssh/authorized_keys > > > > (i.e. I changed the permissions on /local/home !) everything is working > > fine. That's bizar, and I wonder where this is broken - not in OpenSSH > > probably, more likely somewhere in glibc... > > > > comments, any one? > > > > TIA, > > > > JJK / Jan Just Keijser > > Cisco Systems International BV
Jan Just Keijser
2001-Apr-04 13:32 UTC
[follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication
> the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read > to determine whether RSA authentications are allowed. My bet about what's > happening is this: > > sshd runs as euid root, gid 0 > auth-rsa.c switches to euid janjust, but does not change the egid using > setegid() > euid janjust, gid 0 does *NOT* have access to the directory /local/home with > permissions 750 > the stat() call walks down the path of the file and runs into this permission > problem and bails out, even though the user would have access to directories > and files below the troublesome /local/home directory. >I should've accepted bets :-) : when I add the following (ugly) hack: gid_t old_gid; /* no user given */ if (pw == NULL) return 0; /* Temporarily use the user's uid. */ old_gid = getegid(); if (setegid(pw->pw_gid) < 0 ) { packet_send_debug("setegid(%d) failed: %s!", pw->pw_gid, strerror( errno ) ); } temporarily_use_uid(pw->pw_uid); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, _PATH_SSH_USER_PERMITTED_KEYS); /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { packet_send_debug("euid = %d egid = %d", geteuid(), getegid() ); packet_send_debug("stat() returned error: %s", strerror(errno) ); /* Restore the privileged uid. */ restore_uid(); setegid(old_gid); packet_send_debug("Could not stat %.900s.", file); return 0; } i.e. I save the current gid and then set the egid to pw->pw_gid then the stat() call on $HOME/.ssh/authorized_keys works without problems (yes, I changed the permission back to 750 - the unpatched sshd is broken again); you have to do setegid BEFORE seteuid, coz once you're a mere user you're not allowed to do this anymore (as I found out the hard way). A proper fix would be to add this to uidswap.c, I guess... share and enjoy, JJK / Jan Just Keijser Cisco Systems International BV
Apparently Analagous Threads
- [PATCH] permanently_set_uid: Don't try restoring gid on Cygwin
- OpenSSH-3.9p1 permanently_set_uid behavior on Linux
- Question about a recent change to uidswap.c in the portability snapshot
- Porting OpenSSH 2.9.9p2 to Dynix V4.4.4
- [Bug 1182] uid 0, gid !=0 fools defensive check in uidswap.c