bugzilla-daemon at mindrot.org
2015-Aug-05 21:56 UTC
[Bug 2440] New: X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Bug ID: 2440 Summary: X11 connection will fail if user's home directory is read-only Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: huieying.lee at oracle.com Created attachment 2680 --> https://bugzilla.mindrot.org/attachment.cgi?id=2680&action=edit This patch is to change the location of the XAUTHORITY file from ~/.Xauthority to per session Xauh file in /tmp directory If a user's home directory is read-only, then X11 connection will be rejected because of wrong authentication. For example, $ssh -l hylee_local a-server Password: Last login: Wed Aug 5 14:09:42 2015 from 10.132.148.106 /usr/bin/xauth: timeout in locking authority file /export/home/hylee_local/.Xauthority hylee_local$/usr/bin/xemacs /tmp/junk X11 connection rejected because of wrong authentication. ... The root cause of the problem is because the xauth program (invoked by sshd) couldn't lock the non-writable the ~/.Xauthority file. This is a serious problem on Solaris, because a writable home directory isn't always available for root in an immutable zone. We have resolved this problem by changing sshd to use a distinct temporary X authority file for each session. This temporary Xauthority file will be stored in the /tmp directory and it will be removed when the session is closed. Attached is our bug-fix patch file, which applies to OpenSSH6.8p1. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 03:26 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Attachment #2680|application/octet-stream |text/plain mime type| | Attachment #2680|0 |1 is patch| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 03:28 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2451 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:44 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #1 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:45 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2543 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2543 [Bug 2543] Tracking bug for OpenSSH 7.3 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:47 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2451 | --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Apr-25 23:59 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #3 from huieying.lee at oracle.com --- Created attachment 2809 --> https://bugzilla.mindrot.org/attachment.cgi?id=2809&action=edit new patch file for per session xauth enhancement -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Apr-26 00:08 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #4 from huieying.lee at oracle.com --- Recently, we discovered that the original code changes for this enhancement would not work if UsePrivilegeSeparation is set to NO. We fixed the problem with the following code changes: -------------------------------------------------------------------- --- old/session.c Mon Apr 25 15:33:39 2016 +++ new/session.c Mon Apr 25 15:37:31 2016 @@ -2241,6 +2241,7 @@ * means that we won't set XAUTHORITY variable in child's environment * and xauth(1) will use the default location for the authority file. */ + temporarily_use_uid(s->pw); if (mkdtemp(xauthdir) != NULL) { s->auth_file = xmalloc(MAXPATHLEN); snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile", @@ -2273,6 +2274,7 @@ "authority file: %.100s; will use the default xauth file", strerror(errno)); } + restore_uid(); #endif return success; } ----------------------------------------------------------------------- A new patch file was attached also, which applies to OpenSSH 7.2p2. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:10 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #5 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:14 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2594 --- Comment #6 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2594 [Bug 2594] Tracking bug for OpenSSH 7.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:15 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #7 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:17 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #8 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:19 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2543 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2543 [Bug 2543] Tracking bug for OpenSSH 7.3 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:31 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2647 --- Comment #9 from Damien Miller <djm at mindrot.org> --- OpenSSH 7.4 release is closing; punt the bugs to 7.5 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:33 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2594 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2594 [Bug 2594] Tracking bug for OpenSSH 7.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:43 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2698 --- Comment #10 from Damien Miller <djm at mindrot.org> --- Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:44 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #11 from Damien Miller <djm at mindrot.org> --- remove 7.5 target -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:45 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2647 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-01 04:54 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Attachment #3047| |ok?(dtucker at zip.com.au) Flags| | --- Comment #12 from Damien Miller <djm at mindrot.org> --- Created attachment 3047 --> https://bugzilla.mindrot.org/attachment.cgi?id=3047&action=edit factor out agent socket directory creation for reuse The agent forwarding code already creates one directory, so to avoid a proliferation, this factors it out in preparation for using it for xauth files too. Also moves the ExposeAuthInfo contents to that directory now that it is convenient. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-01 04:55 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2680|0 |1 is obsolete| | Attachment #2809|0 |1 is obsolete| | --- Comment #13 from Damien Miller <djm at mindrot.org> --- Created attachment 3048 --> https://bugzilla.mindrot.org/attachment.cgi?id=3048&action=edit create xauth file in temp directory This uses the previous refactoring to create a per-session xauth file. If the file is created successfully then its location is supplied via XAUTHORITY and automatically used by xauth(1). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:29 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2782 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:34 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2698 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:09 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2852 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:12 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2782 | --- Comment #14 from Damien Miller <djm at mindrot.org> --- Move to OpenSSH 7.8 tracking bug Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Jul-20 04:10 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 --- Comment #15 from Damien Miller <djm at mindrot.org> --- dtucker made this observation:> this will make it much harder to use an X display from anywhere else > other than the session that created it. Right now I could do > "DISPLAY=:10.0 some_installer" on the console and it'll pick > up the cookie from ~/.Xauthority and probably work, or at least be no > more broken than usual. > > I'm not sure if that's a down side or not but it's certainly a change > in behaviour.-- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Jul-20 04:17 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2852 | --- Comment #16 from Damien Miller <djm at mindrot.org> --- untarget this because we'll need to think about it a little more. Maybe we could do an access(3) check and only fall back to tmp-hosted XAUTHORITY if it failed? OTOH that seems an excessively complex solution to what is essentially a configuration problem. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-16 17:36 UTC
[Bug 2440] X11 connection will fail if user's home directory is read-only
https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Peter Oliver <bugzilla.mindrot.org at mavit.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.mindrot.org at mavit. | |org.uk --- Comment #17 from Peter Oliver <bugzilla.mindrot.org at mavit.org.uk> --- (In reply to Damien Miller from comment #16)> Maybe we could do an access(3) check and only fall back to > tmp-hosted XAUTHORITY if it failed?There are other reasons for putting .Xauthority outside the home directory besides the home directory being read only. See, for example, the write-up at https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1648107. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8
- [Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
- [Bug 2400] New: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure
- [Bug 2158] New: Race condition in receiving SIGTERM
- [Bug 2576] New: ssh-agent enters busy loop when running out of fds