openssh bugs - Feb 2018 - [Bug 2831] New: ProxyJump self-exec construction ignores path-to-self, exec's wrong ssh

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

            Bug ID: 2831
           Summary: ProxyJump self-exec construction ignores path-to-self,
                    exec's wrong ssh
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: phil.pennock at globnix.org

On a system with an older release in /usr/bin and current OpenSSH in
/usr/local/bin, but for $reasons keeping /usr/bin first in the $PATH,
having "ssh" exec itself using "ssh" as argv[0] will execute
the wrong
SSH.  That's what ProxyJump does.

Encountered via: git using core.sshCommand as a setting, and a config
file using ProxyJump.  The child ssh will complain about the invalid
configuration directive.


Since config can be read by "sftp" etc, I suspect that one fix is to
look for a path separator in "our" argv[0] and if found, then replace
the last component with "ssh" and use the result as the new
process'
argv[0], otherwise fall back to "ssh".

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Phil Pennock <phil.pennock at globnix.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|Mac OS X                    |All
                 CC|                            |phil.pennock at globnix.org
           Severity|enhancement                 |normal
           Hardware|68k                         |All

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2852
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |dtucker at dtucker.net
             Status|NEW                         |ASSIGNED
   Attachment #3157|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3157
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3157&action=edit
Prefer to use argv[0] for ProxyJump ssh binary

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3157|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

--- Comment #2 from Phil Pennock <phil.pennock at globnix.org> ---
By inspection, that will break sftp because argv[0] will refer to sftp
and the ProxyJump will then try to execute sftp for the proxy
connection.

(Thanks for looking at this!)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I don't follow - sftp exec()s ssh with argv[0] as /usr/sbin/ssh not
sftp.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

--- Comment #4 from Phil Pennock <phil.pennock at globnix.org> ---
Sorry.  I was going from recollection that there was a scenario where
something parsed an ssh_config(5) file with argv[0] not ending "/ssh".
Looking again now, I only see ssh-keysign(1) doing so, and ProxyJump
clearly doesn't apply to that.

My mistake. Shutting up now.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Fix applied - this will be in OpenSSH 7.8

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2831

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close RESOLVED bugs with the release of openssh-8.0

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.