bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-16 14:09 UTC
[Bug 3036] New: Legacy SFTP rename (SSH2_FXP_RENAME) fails for files owned by others
https://bugzilla.mindrot.org/show_bug.cgi?id=3036
Bug ID: 3036
Summary: Legacy SFTP rename (SSH2_FXP_RENAME) fails for files
owned by others
Product: Portable OpenSSH
Version: 8.0p1
Hardware: Other
OS: Solaris
Status: NEW
Severity: normal
Priority: P5
Component: sftp-server
Assignee: unassigned-bugs at mindrot.org
Reporter: peter.harvey at oracle.com
Legacy SFTP clients are unable to rename (ie move) files owned by
others on Solaris and its derivatives.
Steps to reproduce using the undocumented "legacy" flag in SFTP's
rename:
-=-=-
Using Solaris 11.4
-=-=-
# pwd
/export/home/jack
# ls -l
total 34
drwxr-xr-x 2 jack staff 2 Jul 16 11:23 bar
-rw-r--r-- 1 root staff 0 Jul 16 11:23 foo
# sftp jack at localhost
Password:
Connected to jack at localhost.
sftp> ls -l
drwxr-xr-x 2 jack staff 2 Jul 16 11:23 bar
-rw-r--r-- 1 root staff 0 Jul 16 11:23 foo
sftp> rename foo bar/foo
sftp> rename bar/foo foo
sftp> rename -l foo bar/foo
Couldn't rename file "/export/home/jack/foo" to
"/export/home/jack/bar/foo": Permission denied
sftp>
Turning on verbose output we see:
sftp> rename -l foo bar/foo
debug3: Sent message SSH2_FXP_RENAME "/export/home/jack/foo" ->
"/export/home/jack/bar/foo"
debug3: SSH2_FXP_STATUS 3
Couldn't rename file "/export/home/jack/foo" to
"/export/home/jack/bar/foo": Permission denied
sftp> rename foo bar/foo
debug3: Sent message posix-rename at openssh.com
"/export/home/jack/foo"
-> "/export/home/jack/bar/foo"
debug3: SSH2_FXP_STATUS 0
sftp>
-=-=-
Older versions of SFTP use the pre-POSIX rename SSH2_FXP_RENAME or
SSH_FXP_RENAME. Examples include Solaris's SunSSH and WinSCP.
The problem is caused by the PRIV_FILE_LINK_ANY privilege being
dropped:
./sftp-server.c
int
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
{
[...]
/* Drop any fine-grained privileges we don't need */
platform_pledge_sftp_server();
./platform-pledge.c
/*
* Drop any fine-grained privileges that are not needed for
post-startup
* operation of sftp-server
*/
void
platform_pledge_sftp_server(void)
{
#ifdef USE_SOLARIS_PRIVS
solaris_drop_privs_pinfo_net_fork_exec();
#endif
}
./openbsd-compat/port-solaris.c
void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
priv_set_t *pset = NULL, *npset = NULL;
[...]
if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 ||
priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 ||
priv_addset(npset, PRIV_FILE_OWNER) != 0)
fatal("priv_addset: %s", strerror(errno));
if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
The pre-POSIX rename operation uses link()/unlink(), the comment reads
"Race-free rename of regular files". Without PRIV_FILE_LINK_ANY the
calls to link() will fail if the effective user ID doesn't match the
owner of the file.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Aug-30 04:39 UTC
[Bug 3036] Legacy SFTP rename (SSH2_FXP_RENAME) fails for files owned by others
https://bugzilla.mindrot.org/show_bug.cgi?id=3036
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alex+mailinglists_openssh-d
| |ev at cooperi.net,
| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The sandboxing code here was written by Alex Wilson (Cc'd) and I'd like
their opinion before restoring that particular privilege (I'm not
familiar with Solaris' privilege model myself)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Aug-30 05:06 UTC
[Bug 3036] Legacy SFTP rename (SSH2_FXP_RENAME) fails for files owned by others
https://bugzilla.mindrot.org/show_bug.cgi?id=3036 --- Comment #2 from Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> --- I think adding that particular privilege back in for sftp-server should be fine. I guess I missed this particular semantic of older clients at the time and took out a little too much. The only user of solaris_drop_privs_pinfo_net_fork_exec() is platform_pledge_sftp_server() at the moment, I believe, so simply changing that function should be fine. The name doesn't make it clear whether FILE_LINK_ANY is in there or not, so I think it'd also be fine not to rename it. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Sep-02 00:26 UTC
[Bug 3036] Legacy SFTP rename (SSH2_FXP_RENAME) fails for files owned by others
https://bugzilla.mindrot.org/show_bug.cgi?id=3036
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Blocks| |2988
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Thanks, I've remove the delset line. This should be fixed in git master
and will be in the OpenSSH 8.1 release soon.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:09 UTC
[Bug 3036] Legacy SFTP rename (SSH2_FXP_RENAME) fails for files owned by others
https://bugzilla.mindrot.org/show_bug.cgi?id=3036
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.