summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:09:58 +0000
committerColin Watson <cjwatson@debian.org>2016-12-26 00:55:59 +0000
commit47c946434c6e99ff9da531cfcafb051e38e79ff8 (patch)
tree08e8df7c7e84f3fa65f1d4e3a82809cde0a3e731
parent68d399525871ecd1a2837f04045581a2774ba4bb (diff)
Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
-rw-r--r--auth-rhosts.c6
-rw-r--r--auth.c9
-rw-r--r--misc.c69
-rw-r--r--misc.h2
-rw-r--r--platform.c16
-rw-r--r--readconf.c3
-rw-r--r--ssh.12
-rw-r--r--ssh_config.52
8 files changed, 80 insertions, 29 deletions
diff --git a/auth-rhosts.c b/auth-rhosts.c
index ecf956f06..4dccd5e6a 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
261 return 0; 261 return 0;
262 } 262 }
263 if (options.strict_modes && 263 if (options.strict_modes &&
264 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 264 !secure_permissions(&st, pw->pw_uid)) {
265 (st.st_mode & 022) != 0)) {
266 logit("Rhosts authentication refused for %.100s: " 265 logit("Rhosts authentication refused for %.100s: "
267 "bad ownership or modes for home directory.", pw->pw_name); 266 "bad ownership or modes for home directory.", pw->pw_name);
268 auth_debug_add("Rhosts authentication refused for %.100s: " 267 auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
288 * allowing access to their account by anyone. 287 * allowing access to their account by anyone.
289 */ 288 */
290 if (options.strict_modes && 289 if (options.strict_modes &&
291 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 290 !secure_permissions(&st, pw->pw_uid)) {
292 (st.st_mode & 022) != 0)) {
293 logit("Rhosts authentication refused for %.100s: bad modes for %.200s", 291 logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
294 pw->pw_name, buf); 292 pw->pw_name, buf);
295 auth_debug_add("Bad file modes for %.200s", buf); 293 auth_debug_add("Bad file modes for %.200s", buf);
diff --git a/auth.c b/auth.c
index c63906873..90390724d 100644
--- a/auth.c
+++ b/auth.c
@@ -444,8 +444,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
444 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 444 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
445 if (options.strict_modes && 445 if (options.strict_modes &&
446 (stat(user_hostfile, &st) == 0) && 446 (stat(user_hostfile, &st) == 0) &&
447 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 447 !secure_permissions(&st, pw->pw_uid)) {
448 (st.st_mode & 022) != 0)) {
449 logit("Authentication refused for %.100s: " 448 logit("Authentication refused for %.100s: "
450 "bad owner or modes for %.200s", 449 "bad owner or modes for %.200s",
451 pw->pw_name, user_hostfile); 450 pw->pw_name, user_hostfile);
@@ -507,8 +506,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
507 snprintf(err, errlen, "%s is not a regular file", buf); 506 snprintf(err, errlen, "%s is not a regular file", buf);
508 return -1; 507 return -1;
509 } 508 }
510 if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || 509 if (!secure_permissions(stp, uid)) {
511 (stp->st_mode & 022) != 0) {
512 snprintf(err, errlen, "bad ownership or modes for file %s", 510 snprintf(err, errlen, "bad ownership or modes for file %s",
513 buf); 511 buf);
514 return -1; 512 return -1;
@@ -523,8 +521,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
523 strlcpy(buf, cp, sizeof(buf)); 521 strlcpy(buf, cp, sizeof(buf));
524 522
525 if (stat(buf, &st) < 0 || 523 if (stat(buf, &st) < 0 ||
526 (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || 524 !secure_permissions(&st, uid)) {
527 (st.st_mode & 022) != 0) {
528 snprintf(err, errlen, 525 snprintf(err, errlen,
529 "bad ownership or modes for directory %s", buf); 526 "bad ownership or modes for directory %s", buf);
530 return -1; 527 return -1;
diff --git a/misc.c b/misc.c
index 65c9222aa..bf9153a61 100644
--- a/misc.c
+++ b/misc.c
@@ -51,8 +51,9 @@
51#include <netdb.h> 51#include <netdb.h>
52#ifdef HAVE_PATHS_H 52#ifdef HAVE_PATHS_H
53# include <paths.h> 53# include <paths.h>
54#include <pwd.h>
55#endif 54#endif
55#include <pwd.h>
56#include <grp.h>
56#ifdef SSH_TUN_OPENBSD 57#ifdef SSH_TUN_OPENBSD
57#include <net/if.h> 58#include <net/if.h>
58#endif 59#endif
@@ -61,6 +62,7 @@
61#include "misc.h" 62#include "misc.h"
62#include "log.h" 63#include "log.h"
63#include "ssh.h" 64#include "ssh.h"
65#include "platform.h"
64 66
65/* remove newline at end of string */ 67/* remove newline at end of string */
66char * 68char *
@@ -708,6 +710,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
708 return -1; 710 return -1;
709} 711}
710 712
713/*
714 * return 1 if the specified uid is a uid that may own a system directory
715 * otherwise 0.
716 */
717int
718platform_sys_dir_uid(uid_t uid)
719{
720 if (uid == 0)
721 return 1;
722#ifdef PLATFORM_SYS_DIR_UID
723 if (uid == PLATFORM_SYS_DIR_UID)
724 return 1;
725#endif
726 return 0;
727}
728
729int
730secure_permissions(struct stat *st, uid_t uid)
731{
732 if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
733 return 0;
734 if ((st->st_mode & 002) != 0)
735 return 0;
736 if ((st->st_mode & 020) != 0) {
737 /* If the file is group-writable, the group in question must
738 * have exactly one member, namely the file's owner.
739 * (Zero-member groups are typically used by setgid
740 * binaries, and are unlikely to be suitable.)
741 */
742 struct passwd *pw;
743 struct group *gr;
744 int members = 0;
745
746 gr = getgrgid(st->st_gid);
747 if (!gr)
748 return 0;
749
750 /* Check primary group memberships. */
751 while ((pw = getpwent()) != NULL) {
752 if (pw->pw_gid == gr->gr_gid) {
753 ++members;
754 if (pw->pw_uid != uid)
755 return 0;
756 }
757 }
758 endpwent();
759
760 pw = getpwuid(st->st_uid);
761 if (!pw)
762 return 0;
763
764 /* Check supplementary group memberships. */
765 if (gr->gr_mem[0]) {
766 ++members;
767 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
768 gr->gr_mem[1])
769 return 0;
770 }
771
772 if (!members)
773 return 0;
774 }
775 return 1;
776}
777
711int 778int
712tun_open(int tun, int mode) 779tun_open(int tun, int mode)
713{ 780{
diff --git a/misc.h b/misc.h
index c242f9011..8b223b55e 100644
--- a/misc.h
+++ b/misc.h
@@ -143,6 +143,8 @@ char *read_passphrase(const char *, int);
143int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 143int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
144int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 144int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
145 145
146int secure_permissions(struct stat *st, uid_t uid);
147
146#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 148#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
147#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 149#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
148#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 150#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/platform.c b/platform.c
index cd7bf5665..380ee3a41 100644
--- a/platform.c
+++ b/platform.c
@@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name)
197 return NULL; 197 return NULL;
198#endif 198#endif
199} 199}
200
201/*
202 * return 1 if the specified uid is a uid that may own a system directory
203 * otherwise 0.
204 */
205int
206platform_sys_dir_uid(uid_t uid)
207{
208 if (uid == 0)
209 return 1;
210#ifdef PLATFORM_SYS_DIR_UID
211 if (uid == PLATFORM_SYS_DIR_UID)
212 return 1;
213#endif
214 return 0;
215}
diff --git a/readconf.c b/readconf.c
index 3efba242f..c02cdf63a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1752,8 +1752,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
1752 1752
1753 if (fstat(fileno(f), &sb) == -1) 1753 if (fstat(fileno(f), &sb) == -1)
1754 fatal("fstat %s: %s", filename, strerror(errno)); 1754 fatal("fstat %s: %s", filename, strerror(errno));
1755 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1755 if (!secure_permissions(&sb, getuid()))
1756 (sb.st_mode & 022) != 0))
1757 fatal("Bad owner or permissions on %s", filename); 1756 fatal("Bad owner or permissions on %s", filename);
1758 } 1757 }
1759 1758
diff --git a/ssh.1 b/ssh.1
index 4011c65aa..feef81a54 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1484,6 +1484,8 @@ The file format and configuration options are described in
1484.Xr ssh_config 5 . 1484.Xr ssh_config 5 .
1485Because of the potential for abuse, this file must have strict permissions: 1485Because of the potential for abuse, this file must have strict permissions:
1486read/write for the user, and not writable by others. 1486read/write for the user, and not writable by others.
1487It may be group-writable provided that the group in question contains only
1488the user.
1487.Pp 1489.Pp
1488.It Pa ~/.ssh/environment 1490.It Pa ~/.ssh/environment
1489Contains additional definitions for environment variables; see 1491Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
index a0457314c..0483a1ee4 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1803,6 +1803,8 @@ The format of this file is described above.
1803This file is used by the SSH client. 1803This file is used by the SSH client.
1804Because of the potential for abuse, this file must have strict permissions: 1804Because of the potential for abuse, this file must have strict permissions:
1805read/write for the user, and not accessible by others. 1805read/write for the user, and not accessible by others.
1806It may be group-writable provided that the group in question contains only
1807the user.
1806.It Pa /etc/ssh/ssh_config 1808.It Pa /etc/ssh/ssh_config
1807Systemwide configuration file. 1809Systemwide configuration file.
1808This file provides defaults for those 1810This file provides defaults for those