thr3ads.net - openssh bugs - [Bug 2900] New: Supplementary groups not set for AuthorizedKeysCommand [Aug 2018]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2018-Aug-25 18:39 UTC

[Bug 2900] New: Supplementary groups not set for AuthorizedKeysCommand

https://bugzilla.mindrot.org/show_bug.cgi?id=2900

            Bug ID: 2900
           Summary: Supplementary groups not set for AuthorizedKeysCommand
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: johannes at kyriasis.com

We recently discovered that when sshd forks to execute the 
AuthorizedKeysCommand, it only runs setres{u,g}id in the new thread,
but 
not setgroups, which means that the supplementary groups are never set 
in the new thread.

First reported here:
  *
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-July/037040.html
  *
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-August/037041.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Aug-25 18:39 UTC

head link

[Bug 2900] Supplementary groups not set for AuthorizedKeysCommand

https://bugzilla.mindrot.org/show_bug.cgi?id=2900

Johannes L?thberg <johannes at kyriasis.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|ssh                         |sshd

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2020-Mar-08 01:59 UTC

head link

[Bug 2900] Supplementary groups not set for AuthorizedKeysCommand

https://bugzilla.mindrot.org/show_bug.cgi?id=2900

Kenny To <sheheitthey at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sheheitthey at gmail.com

--- Comment #1 from Kenny To <sheheitthey at gmail.com> ---
Created attachment 3362
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3362&action=edit
set supplementary groups in subprocess

Hi,

I've just run into this bug, and by code inspection it looks like
AuthorizedPrincipalsCommand would also be affected. This patch worked
for me on version 8.1p1. The AuthorizedKeysCommand for the application
I was testing was able to access the files it needs and only had
permissions through its supplementary groups.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

openssh bugs - Aug 2018 - [Bug 2900] New: Supplementary groups not set for AuthorizedKeysCommand

[Bug 2900] New: Supplementary groups not set for AuthorizedKeysCommand

[Bug 2900] Supplementary groups not set for AuthorizedKeysCommand

[Bug 2900] Supplementary groups not set for AuthorizedKeysCommand