openssh bugs - Oct 2008 - [Bug 1532] New: SSH ignoring "StrictModes no"

https://bugzilla.mindrot.org/show_bug.cgi?id=1532

           Summary: SSH ignoring "StrictModes no"
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: ix86
               URL: http://www.networksecurityarchive.org/html/Secure-Shel
                    l/2005-08/msg00058.html
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: marko at stamcar.com


I'm posting a bug another user described so well I don't think I need
to write my own description:

We have a very strange problem with SSH. It looks like sshd is ignoring
"StrictModes no" and still doing strict permission checking.
Can anyone give me some hint what the problem might be?

Problem:
As long as the various users directory (e.g. User XA302) is mode
drwxr-sr-x
everything is fine. But if I change this to drwxrwsr-x SSH complains
"Authentication refused: bad ownership or modes for directory
/appl/chroot/cp/XA302". We need group write permission on
/appl/chroot/cp/...
for our jobs which do further processing of the transfered files.
So I set "StrictModes no" in sshd_config. 
Does anyone have a similar problem or knows why SSH might possibly
ignore
"StrictModes no"?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2009-01-21
21:47:07 ---
I can't replicate this. Please send a debug trace from the server
("sshd -ddd") failing to authenticate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532





--- Comment #2 from Damien Miller <djm at mindrot.org>  2009-02-14
15:07:12 ---
Hang on, are you talking about ChrootDirectory or authorized_keys?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532





--- Comment #3 from Marko ?tamcar <marko at stamcar.com>  2009-02-15
02:07:13 ---
We're talking about ChrootDirectory and the "new" internal-sftp
feature
in SSH.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532





--- Comment #4 from Damien Miller <djm at mindrot.org>  2009-02-15
17:45:12 ---
StrictModes does not apply to ChrootDirectory.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532


zerbaugh at sentryds.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zerbaugh at sentryds.com




--- Comment #5 from zerbaugh at sentryds.com  2009-07-02 00:43:58 ---
"StrictModes does not apply to ChrootDirectory."

Is that the intended behavior, or just the current state of things? It
seems at odds with the man page, which states:

"StrictModes: Specifies whether sshd(8) should check file modes and
ownership of the user's files and home directory before accepting
login."

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1626
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org> 2009-11-10 14:00:18
EST ---
This is intentional, see
https://bugzilla.redhat.com/show_bug.cgi?id=522141 for what happens
when the checks are relaxed.

I have updated the manpage to clarify this.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1532

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
10:50:46 EST ---
With the release of 5.4p1, this bug is now considered closed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.