thr3ads.net - openssh bugs - [Bug 2874] New: Privilege-dropping fails on some container systems [Jun 2018]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2018-Jun-04 20:44 UTC

[Bug 2874] New: Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

            Bug ID: 2874
           Summary: Privilege-dropping fails on some container systems
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: nicko at nicko.org

The main() function for in ssh.c calls PRIV_END even when the user is
unprivileged to start with. On several cloud 'Function as a service'
platforms, including AWS Lambda and Heroku, this fails with with an
"Operation not permitted" error.

This appears to be to do with the way that sandboxing capabilities of
these platforms restrict calls to seteuid() and the state of the real,
effective and saved user IDs.

It would be helpful if the PRIV_END and PRIV_START calls checked if
there were any privileges to drop or gain and not call seteuid() if
there is no privilege to be dropped.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Jul-06 03:37 UTC

head link

[Bug 2874] Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3162
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3162&action=edit
PRIV_{START_END}: check if seteuid calls are needed before calling

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Jul-06 03:37 UTC

head link

[Bug 2874] Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2852

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
does this work for you?


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Jul-06 04:35 UTC

head link

[Bug 2874] Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Looking at the specification for seteuid it looks like those platforms
are not compliant.   IEEE Std 1003.1 both 2004 and 2018 Editions
specify the following reasons for seteuid to fail:

The seteuid() function shall fail if:

[EINVAL]
The value of the uid argument is invalid and is not supported by the
implementation.
[EPERM]
The process does not have appropriate privileges and uid does not match
the real user ID or the saved set-user-ID.

Neither of those seem to be applicable in this case though.

It makes me wonder if there any reason to still support ssh being
setuid at all these days.  Certainly the only use cases I can think of
are long dead.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Jul-19 12:50 UTC

head link

[Bug 2874] Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
The PRIV_START/PRIV_END code has been removed entirely including the
setuid calls which should fix your issue:
https://github.com/openssh/openssh-portable/commit/258dc8bb07dfb35a46e52b0822a2c5b7027df60a

This will be in the 7.8 release.

Thanks.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Oct-19 06:17 UTC

head link

[Bug 2874] Privilege-dropping fails on some container systems

https://bugzilla.mindrot.org/show_bug.cgi?id=2874

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Close RESOLVED bugs with the release of openssh-8.0

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

openssh bugs - Jun 2018 - [Bug 2874] New: Privilege-dropping fails on some container systems

[Bug 2874] New: Privilege-dropping fails on some container systems

[Bug 2874] Privilege-dropping fails on some container systems

[Bug 2874] Privilege-dropping fails on some container systems

[Bug 2874] Privilege-dropping fails on some container systems

[Bug 2874] Privilege-dropping fails on some container systems

[Bug 2874] Privilege-dropping fails on some container systems