openssh bugs - Jan 2013 - [Bug 2060] New: sshd tries to use chdir to users home directory as root

https://bugzilla.mindrot.org/show_bug.cgi?id=2060

            Bug ID: 2060
           Summary: sshd tries to use chdir to users home directory as
                    root
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: metadalek at gmail.com

The chdir in session.c around line 1736 appears to be performed while
sshd is running as the root user. This fails on systems where root does
not have access to the users home directory. Examples are NFS mounted
directories where the client machine does not have root trust (root
user is mapped to nobody etc).

I think sshd should either change uid to the target user before this
segment of code is executed and maintain euid root or vice versa. 

I will experiment with a fix myself.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2060

--- Comment #1 from Peter Gray <metadalek at gmail.com> ---
More info:

This seems to occur only if use_login is set. If not, the uid has
already been set to the target user and all works as expected.

One fix is if running as root, set the effective uid of the process to
the target user before the call to chdir and reset euid to root after
the rc files have been read. A better fix is to avoid the while chdir
and rc file stuff if use_login is set.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2060

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
UseLogin was deprecated some time ago, the only remaining chdir()
definitely happens after privileges are dropped. The calls occur in the
same function:

https://github.com/openssh/openssh-portable/blob/V_8_1_P1/session.c#L1546
https://github.com/openssh/openssh-portable/blob/V_8_1_P1/session.c#L1622

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2060

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.