openssh bugs - Jul 2010 - [Bug 1800] New: PermitUserEnvironment accepting pattern of allowed userenv variables

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

           Summary: PermitUserEnvironment accepting pattern of allowed
                    userenv variables
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dada.da+mindrot at gmail.com


Created attachment 1901
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1901
diff for patching 5.5p1 and 5.4p1

"PermitUserEnvironment=Yes" security risks could be mitigated by
allowing sshd to allow selected user-environment variables.  I have
written a patch which allows sshd configuration to specify:

"PermitUserEnvironment=VAR" 

This passes user environment variables (from $USER/.ssh/environment
and/or $USER/.ssh/authorized_keys) starting with VAR, ignoring all
other environment variables not previously copied by sshd.

The default option for PermitUserEnvironment is unchanged; it still
defaults to "No".

As a second effect, if PermitUserEnvironment is set to the default
"No", but an "environment=" option is specified in
authorized_keys, the
key is no longer rejected with a "Bad options in file" error, but
instead silently ignores the "environment=" option, which is similar
to
the behaviour of other options such as "permitopen=".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Daniel Allen <dada.da+mindrot at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dada.da+mindrot at gmail.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1901|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #1901|0                           |1
           is patch|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
Sorry to be a pest, but could you please resubmit your patch in unified
diff format ("diff -u"). You only need submit the 5.5p1 version.

Thanks,
Damien

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Daniel Allen <dada.da+mindrot at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1901|0                           |1
        is obsolete|                            |

--- Comment #2 from Daniel Allen <dada.da+mindrot at gmail.com>  ---
Created attachment 1903
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1903
patch replacement: diff -u

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #3 from Daniel Allen <dada.da+mindrot at gmail.com>  ---
(In reply to comment #1)
> unified diff format ("diff -u"). You only need submit the 5.5p1
version.
Oops, my bad! Resubmitted. -Daniel

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1803

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1803                        |

--- Comment #4 from Damien Miller <djm at mindrot.org> 2011-01-24 12:30:50
EST ---
Retarget unclosed bugs from 5.7=>5.8

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1845

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Daniel Allen <dada.da+mindrot at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1903|0                           |1
        is obsolete|                            |

--- Comment #5 from Daniel Allen <dada.da+mindrot at gmail.com> 2011-03-19
05:24:09 EST ---
Created attachment 2017
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2017
userenv patch for 5.8p1

redid patch for openssh-5.8p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930

--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:19
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #7 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:32
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |

--- Comment #8 from Damien Miller <djm at mindrot.org> 2011-09-06 10:39:07
EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Daniel Allen <dada.da+mindrot at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2017|0                           |1
        is obsolete|                            |

--- Comment #9 from Daniel Allen <dada.da+mindrot at gmail.com> 2011-10-14
05:37:12 EST ---
Created attachment 2098
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2098
patch for PermitUserEnvironment against 5.9p1

Keeping up with new version numbers.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #10 from Damien Miller <djm at mindrot.org> 2011-10-21
11:42:39 EST ---
The patch looks okay, but I'm a little reticent to add a method to
control environment variables that doesn't look like any of the other
ACL mechanisms that we use. Perhaps this should use
match_pattern_list() (match.[ch]) to test environment variables when
PermitUserEnvironment!=yes instead of a simple substring?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #11 from Daniel Allen <dada.da+mindrot at gmail.com>
2011-10-29 12:50:20 EST ---
(In reply to comment #10)
> The patch looks okay, but I'm a little reticent to add a method to
> control environment variables that doesn't look like any of the other
> ACL mechanisms that we use. Perhaps this should use
> match_pattern_list() (match.[ch]) to test environment variables when
> PermitUserEnvironment!=yes instead of a simple substring?
Oh! match_pattern_list() sounds like a much more robust solution.
I'll see if I can code something up soon. I have two big deadlines in
the next two weeks but I hope to have something to review soon.

Thanks, Daniel

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Daniel Allen <dada.da+mindrot at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2098|0                           |1
        is obsolete|                            |

--- Comment #12 from Daniel Allen <dada.da+mindrot at gmail.com>
2011-12-03 08:56:02 EST ---
Created attachment 2113
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2113
rewrite of patch to use match_pattern_list

New patch allows pattern lists for permitted user environment
variables, including wildcards and negation. 

New format to match exactly one variable:

PermitUserEnvironment "REMOTEUSER=*"

To match any variables starting with LOG and XTERM variables with
values matching vt*:

PermitUserEnvironment "LOGNAME=*,XTERM=vt*"

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #13 from Daniel Allen <dada.da+mindrot at gmail.com>
2011-12-05 11:34:07 EST ---
(In reply to comment #12) 
> To match any variables starting with LOG and XTERM variables with
> values matching vt*:
the last line of the example should read:

PermitUserEnvironment "LOG*,XTERM=vt*"

instead of:
> PermitUserEnvironment "LOGNAME=*,XTERM=vt*"
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

--- Comment #14 from Daniel Allen <dada.da+mindrot at gmail.com>
2012-02-07 03:10:44 EST ---
Hi Damien, don't suppose you've had time to look at this patch yet?
It's working well for our campus, and I'd love to see this making it
into v6.0. Thanks, -Daniel

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986

--- Comment #15 from Damien Miller <djm at mindrot.org> 2012-02-24
10:34:27 EST ---
Retarget from 6.0 to 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1930                        |

--- Comment #16 from Damien Miller <djm at mindrot.org> 2012-02-24
10:38:07 EST ---
Retarget 6.0 => 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.