openssh unix dev - Jan 2010 - /etc/nologin must be world-readable which is not totally clear

hi, the man page for sshd(1) says about /etc/nologin: "The file 
should be world-readable". However, nologin has no effect if it's not 
readable by the connecting user:

        if (pw->pw_uid)
                f = fopen(_PATH_NOLOGIN, "r");

        if (f) {
                /* /etc/nologin exists.  Print its contents and exit. */
		...
		...
		return(254)

	if root has a stricter mask than 022 it can easily happen that 
/etc/nologin can have 0600 permissions, for example. The user would not 
be able to send the file's contents anyway but he/she can login. It can 
lead to situations that login is assumed to be prohibited to non-root 
users when it is not.

	I can file a bug in bugzilla and send a patch if you agree that 
it should be fixed. If this behaviour should be preserved, I suggest to 
update the man page, it should read "The file must be world-readable"
in
that case.

	cheers, J.

-- 
Jan Pechanec
http://blogs.sun.com/janp

Could have swore I filed one a few years ago on this when it was brought to my
attention.  Maybe I didn't, since I can't find it.

- Ben

On Jan 11, 2010, at 5:46 AM, Jan Pechanec wrote:
> 
> 	hi, the man page for sshd(1) says about /etc/nologin: "The file 
> should be world-readable". However, nologin has no effect if it's
not
> readable by the connecting user:
> 
>        if (pw->pw_uid)
>                f = fopen(_PATH_NOLOGIN, "r");
> 
>        if (f) {
>                /* /etc/nologin exists.  Print its contents and exit. */
> 		...
> 		...
> 		return(254)
> 
> 	if root has a stricter mask than 022 it can easily happen that 
> /etc/nologin can have 0600 permissions, for example. The user would not 
> be able to send the file's contents anyway but he/she can login. It can
> lead to situations that login is assumed to be prohibited to non-root 
> users when it is not.
> 
> 	I can file a bug in bugzilla and send a patch if you agree that 
> it should be fixed. If this behaviour should be preserved, I suggest to 
> update the man page, it should read "The file must be
world-readable" in
> that case.
> 
> 	cheers, J.
> 
> -- 
> Jan Pechanec
> http://blogs.sun.com/janp
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Mon, Jan 11, 2010 at 12:46:05PM +0100, Jan Pechanec
wrote:
> 	hi, the man page for sshd(1) says about /etc/nologin: "The file 
> should be world-readable". However, nologin has no effect if it's
not
> readable by the connecting user:
I agree that the existence of an unreadable /etc/nologin should prevent
logins since it's pretty clear that's the admin's intent, so
it's a bug
in the code not the docs.

The simple solution is to check errno for EPERM.  I'm about to apply the
following patch which should cover it.

Index: session.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.249
diff -u -p -r1.249 session.c
--- session.c	20 Nov 2009 00:15:41 -0000	1.249
+++ session.c	12 Jan 2010 00:27:21 -0000
@@ -1105,10 +1105,12 @@ do_nologin(struct passwd *pw)
 	if (!login_getcapbool(lc, "ignorenologin", 0) &&
pw->pw_uid)
 		f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN,
 		    _PATH_NOLOGIN), "r");
-	if (f) {
+	if (f != NULL || errno == EPERM) {
 		/* /etc/nologin exists.  Print its contents and exit. */
 		logit("User %.100s not allowed because %s exists",
 		    pw->pw_name, _PATH_NOLOGIN);
+		if (f == NULL)
+			exit(254);
 		while (fgets(buf, sizeof(buf), f))
 			fputs(buf, stderr);
 		fclose(f);

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.