1 files changed, 266 insertions, 0 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
new file mode 100644
index 000000000..107f15a23
--- /dev/null
+++ b/debian/patches/user-group-modes.patch
@@ -0,0 +1,266 @@
+From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:09:58 +0000
+Subject: Allow harmless group-writability
+Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
+group-writable, provided that the group in question contains only the file's
+owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
+about the contents of gr->gr_mem).  Given that per-user groups and umask 002
+are the default setup in Debian (for good reasons - this makes operating in
+setgid directories with other groups much easier), we need to permit this by
+default.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
+Last-Update: 2013-09-14
+Patch-Name: user-group-modes.patch
+---
+ auth-rhosts.c |    6 ++---
+ auth.c        |    9 +++-----
+ misc.c        |   69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ misc.h        |    2 ++
+ platform.c    |   16 -------------
+ readconf.c    |    5 +++--
+ ssh.1         |    2 ++
+ ssh_config.5  |    2 ++
+ 8 files changed, 82 insertions(+), 29 deletions(-)
+diff --git a/auth-rhosts.c b/auth-rhosts.c
+index 06ae7f0..f202787 100644
+--- a/auth-rhosts.c
+++ b/auth-rhosts.c
+@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
+                return 0;
+        }
+        if (options.strict_modes &&
+-           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+-           (st.st_mode & 022) != 0)) {
+           !secure_permissions(&st, pw->pw_uid)) {
+                logit("Rhosts authentication refused for %.100s: "
+                    "bad ownership or modes for home directory.", pw->pw_name);
+                auth_debug_add("Rhosts authentication refused for %.100s: "
+@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
+                 * allowing access to their account by anyone.
+                 */
+                if (options.strict_modes &&
+-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+-                   (st.st_mode & 022) != 0)) {
+                   !secure_permissions(&st, pw->pw_uid)) {
+                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+                            pw->pw_name, buf);
+                        auth_debug_add("Bad file modes for %.200s", buf);
+diff --git a/auth.c b/auth.c
+index 9a36f1d..0c45f09 100644
+--- a/auth.c
+++ b/auth.c
+@@ -407,8 +407,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
+                user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+                if (options.strict_modes &&
+                    (stat(user_hostfile, &st) == 0) &&
+-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+-                   (st.st_mode & 022) != 0)) {
+                   !secure_permissions(&st, pw->pw_uid)) {
+                        logit("Authentication refused for %.100s: "
+                            "bad owner or modes for %.200s",
+                            pw->pw_name, user_hostfile);
+@@ -470,8 +469,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+                snprintf(err, errlen, "%s is not a regular file", buf);
+                return -1;
+        }
+-       if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
+-           (stp->st_mode & 022) != 0) {
+       if (!secure_permissions(stp, uid)) {
+                snprintf(err, errlen, "bad ownership or modes for file %s",
+                    buf);
+                return -1;
+@@ -486,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+                strlcpy(buf, cp, sizeof(buf));
+ 
+                if (stat(buf, &st) < 0 ||
+-                   (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
+-                   (st.st_mode & 022) != 0) {
+                   !secure_permissions(&st, uid)) {
+                        snprintf(err, errlen,
+                            "bad ownership or modes for directory %s", buf);
+                        return -1;
+diff --git a/misc.c b/misc.c
+index e4c8c32..4e756b0 100644
+--- a/misc.c
+++ b/misc.c
+@@ -49,8 +49,9 @@
+ #include <netdb.h>
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+-#include <pwd.h>
+ #endif
+#include <pwd.h>
+#include <grp.h>
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+ #endif
+@@ -59,6 +60,7 @@
+ #include "misc.h"
+ #include "log.h"
+ #include "ssh.h"
+#include "platform.h"
+ 
+ /* remove newline at end of string */
+ char *
+@@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
+        return -1;
+ }
+ 
+/*
+ * return 1 if the specified uid is a uid that may own a system directory
+ * otherwise 0.
+ */
+int
+platform_sys_dir_uid(uid_t uid)
+{
+       if (uid == 0)
+               return 1;
+#ifdef PLATFORM_SYS_DIR_UID
+       if (uid == PLATFORM_SYS_DIR_UID)
+               return 1;
+#endif
+       return 0;
+}
+
+int
+secure_permissions(struct stat *st, uid_t uid)
+{
+       if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
+               return 0;
+       if ((st->st_mode & 002) != 0)
+               return 0;
+       if ((st->st_mode & 020) != 0) {
+               /* If the file is group-writable, the group in question must
+                * have exactly one member, namely the file's owner.
+                * (Zero-member groups are typically used by setgid
+                * binaries, and are unlikely to be suitable.)
+                */
+               struct passwd *pw;
+               struct group *gr;
+               int members = 0;
+
+               gr = getgrgid(st->st_gid);
+               if (!gr)
+                       return 0;
+
+               /* Check primary group memberships. */
+               while ((pw = getpwent()) != NULL) {
+                       if (pw->pw_gid == gr->gr_gid) {
+                               ++members;
+                               if (pw->pw_uid != uid)
+                                       return 0;
+                       }
+               }
+               endpwent();
+
+               pw = getpwuid(st->st_uid);
+               if (!pw)
+                       return 0;
+
+               /* Check supplementary group memberships. */
+               if (gr->gr_mem[0]) {
+                       ++members;
+                       if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
+                           gr->gr_mem[1])
+                               return 0;
+               }
+
+               if (!members)
+                       return 0;
+       }
+       return 1;
+}
+
+ int
+ tun_open(int tun, int mode)
+ {
+diff --git a/misc.h b/misc.h
+index d4df619..ceb173b 100644
+--- a/misc.h
+++ b/misc.h
+@@ -106,4 +106,6 @@ char        *read_passphrase(const char *, int);
+ int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
+ int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+ 
+int     secure_permissions(struct stat *st, uid_t uid);
+
+ #endif /* _MISC_H */
+diff --git a/platform.c b/platform.c
+index 4aab9a9..f99de7f 100644
+--- a/platform.c
+++ b/platform.c
+@@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name)
+        return NULL;
+ #endif
+ }
+-
+-/*
+- * return 1 if the specified uid is a uid that may own a system directory
+- * otherwise 0.
+- */
+-int
+-platform_sys_dir_uid(uid_t uid)
+-{
+-       if (uid == 0)
+-               return 1;
+-#ifdef PLATFORM_SYS_DIR_UID
+-       if (uid == PLATFORM_SYS_DIR_UID)
+-               return 1;
+-#endif
+-       return 0;
+-}
+diff --git a/readconf.c b/readconf.c
+index 6409937..32c4b42 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -37,6 +37,8 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
+@@ -1477,8 +1479,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
+ 
+                if (fstat(fileno(f), &sb) == -1)
+                        fatal("fstat %s: %s", filename, strerror(errno));
+-               if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+-                   (sb.st_mode & 022) != 0))
+               if (!secure_permissions(&sb, getuid()))
+                        fatal("Bad owner or permissions on %s", filename);
+        }
+ 
+diff --git a/ssh.1 b/ssh.1
+index 27794e2..ff5e6ac 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -1352,6 +1352,8 @@ The file format and configuration options are described in
+ .Xr ssh_config 5 .
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
+ .Pp
+ .It Pa ~/.ssh/environment
+ Contains additional definitions for environment variables; see
+diff --git a/ssh_config.5 b/ssh_config.5
+index 3172fd4..4bf7cbb 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -1529,6 +1529,8 @@ The format of this file is described above.
+ This file is used by the SSH client.
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
+ .It Pa /etc/ssh/ssh_config
+ Systemwide configuration file.
+ This file provides defaults for those

diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch new file mode 100644 index 000000000..107f15a23 --- /dev/null +++ b/debian/patches/user-group-modes.patch
@@ -0,0 +1,266 @@
	1	From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:09:58 +0000
	4	Subject: Allow harmless group-writability
	5
	6	Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
	7	group-writable, provided that the group in question contains only the file's
	8	owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
	9	about the contents of gr->gr_mem). Given that per-user groups and umask 002
	10	are the default setup in Debian (for good reasons - this makes operating in
	11	setgid directories with other groups much easier), we need to permit this by
	12	default.
	13
	14	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
	15	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
	16	Last-Update: 2013-09-14
	17
	18	Patch-Name: user-group-modes.patch
	19	---
	20	auth-rhosts.c \| 6 ++---
	21	auth.c \| 9 +++-----
	22	misc.c \| 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
	23	misc.h \| 2 ++
	24	platform.c \| 16 -------------
	25	readconf.c \| 5 +++--
	26	ssh.1 \| 2 ++
	27	ssh_config.5 \| 2 ++
	28	8 files changed, 82 insertions(+), 29 deletions(-)
	29
	30	diff --git a/auth-rhosts.c b/auth-rhosts.c
	31	index 06ae7f0..f202787 100644
	32	--- a/auth-rhosts.c
	33	+++ b/auth-rhosts.c
	34	@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd pw, const char client_user, const char *hostnam
	35	return 0;
	36	}
	37	if (options.strict_modes &&
	38	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	39	- (st.st_mode & 022) != 0)) {
	40	+ !secure_permissions(&st, pw->pw_uid)) {
	41	logit("Rhosts authentication refused for %.100s: "
	42	"bad ownership or modes for home directory.", pw->pw_name);
	43	auth_debug_add("Rhosts authentication refused for %.100s: "
	44	@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd pw, const char client_user, const char *hostnam
	45	* allowing access to their account by anyone.
	46	*/
	47	if (options.strict_modes &&
	48	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	49	- (st.st_mode & 022) != 0)) {
	50	+ !secure_permissions(&st, pw->pw_uid)) {
	51	logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
	52	pw->pw_name, buf);
	53	auth_debug_add("Bad file modes for %.200s", buf);
	54	diff --git a/auth.c b/auth.c
	55	index 9a36f1d..0c45f09 100644
	56	--- a/auth.c
	57	+++ b/auth.c
	58	@@ -407,8 +407,7 @@ check_key_in_hostfiles(struct passwd pw, Key key, const char *host,
	59	user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
	60	if (options.strict_modes &&
	61	(stat(user_hostfile, &st) == 0) &&
	62	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	63	- (st.st_mode & 022) != 0)) {
	64	+ !secure_permissions(&st, pw->pw_uid)) {
	65	logit("Authentication refused for %.100s: "
	66	"bad owner or modes for %.200s",
	67	pw->pw_name, user_hostfile);
	68	@@ -470,8 +469,7 @@ auth_secure_path(const char name, struct stat stp, const char *pw_dir,
	69	snprintf(err, errlen, "%s is not a regular file", buf);
	70	return -1;
	71	}
	72	- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) \|\|
	73	- (stp->st_mode & 022) != 0) {
	74	+ if (!secure_permissions(stp, uid)) {
	75	snprintf(err, errlen, "bad ownership or modes for file %s",
	76	buf);
	77	return -1;
	78	@@ -486,8 +484,7 @@ auth_secure_path(const char name, struct stat stp, const char *pw_dir,
	79	strlcpy(buf, cp, sizeof(buf));
	80
	81	if (stat(buf, &st) < 0 \|\|
	82	- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) \|\|
	83	- (st.st_mode & 022) != 0) {
	84	+ !secure_permissions(&st, uid)) {
	85	snprintf(err, errlen,
	86	"bad ownership or modes for directory %s", buf);
	87	return -1;
	88	diff --git a/misc.c b/misc.c
	89	index e4c8c32..4e756b0 100644
	90	--- a/misc.c
	91	+++ b/misc.c
	92	@@ -49,8 +49,9 @@
	93	#include <netdb.h>
	94	#ifdef HAVE_PATHS_H
	95	# include <paths.h>
	96	-#include <pwd.h>
	97	#endif
	98	+#include <pwd.h>
	99	+#include <grp.h>
	100	#ifdef SSH_TUN_OPENBSD
	101	#include <net/if.h>
	102	#endif
	103	@@ -59,6 +60,7 @@
	104	#include "misc.h"
	105	#include "log.h"
	106	#include "ssh.h"
	107	+#include "platform.h"
	108
	109	/* remove newline at end of string */
	110	char *
	111	@@ -643,6 +645,71 @@ read_keyfile_line(FILE f, const char filename, char *buf, size_t bufsz,
	112	return -1;
	113	}
	114
	115	+/*
	116	+ * return 1 if the specified uid is a uid that may own a system directory
	117	+ * otherwise 0.
	118	+ */
	119	+int
	120	+platform_sys_dir_uid(uid_t uid)
	121	+{
	122	+ if (uid == 0)
	123	+ return 1;
	124	+#ifdef PLATFORM_SYS_DIR_UID
	125	+ if (uid == PLATFORM_SYS_DIR_UID)
	126	+ return 1;
	127	+#endif
	128	+ return 0;
	129	+}
	130	+
	131	+int
	132	+secure_permissions(struct stat *st, uid_t uid)
	133	+{
	134	+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
	135	+ return 0;
	136	+ if ((st->st_mode & 002) != 0)
	137	+ return 0;
	138	+ if ((st->st_mode & 020) != 0) {
	139	+ /* If the file is group-writable, the group in question must
	140	+ * have exactly one member, namely the file's owner.
	141	+ * (Zero-member groups are typically used by setgid
	142	+ * binaries, and are unlikely to be suitable.)
	143	+ */
	144	+ struct passwd *pw;
	145	+ struct group *gr;
	146	+ int members = 0;
	147	+
	148	+ gr = getgrgid(st->st_gid);
	149	+ if (!gr)
	150	+ return 0;
	151	+
	152	+ /* Check primary group memberships. */
	153	+ while ((pw = getpwent()) != NULL) {
	154	+ if (pw->pw_gid == gr->gr_gid) {
	155	+ ++members;
	156	+ if (pw->pw_uid != uid)
	157	+ return 0;
	158	+ }
	159	+ }
	160	+ endpwent();
	161	+
	162	+ pw = getpwuid(st->st_uid);
	163	+ if (!pw)
	164	+ return 0;
	165	+
	166	+ /* Check supplementary group memberships. */
	167	+ if (gr->gr_mem[0]) {
	168	+ ++members;
	169	+ if (strcmp(pw->pw_name, gr->gr_mem[0]) \|\|
	170	+ gr->gr_mem[1])
	171	+ return 0;
	172	+ }
	173	+
	174	+ if (!members)
	175	+ return 0;
	176	+ }
	177	+ return 1;
	178	+}
	179	+
	180	int
	181	tun_open(int tun, int mode)
	182	{
	183	diff --git a/misc.h b/misc.h
	184	index d4df619..ceb173b 100644
	185	--- a/misc.h
	186	+++ b/misc.h
	187	@@ -106,4 +106,6 @@ char read_passphrase(const char , int);
	188	int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
	189	int read_keyfile_line(FILE , const char , char , size_t, u_long );
	190
	191	+int secure_permissions(struct stat *st, uid_t uid);
	192	+
	193	#endif /* _MISC_H */
	194	diff --git a/platform.c b/platform.c
	195	index 4aab9a9..f99de7f 100644
	196	--- a/platform.c
	197	+++ b/platform.c
	198	@@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name)
	199	return NULL;
	200	#endif
	201	}
	202	-
	203	-/*
	204	- * return 1 if the specified uid is a uid that may own a system directory
	205	- * otherwise 0.
	206	- */
	207	-int
	208	-platform_sys_dir_uid(uid_t uid)
	209	-{
	210	- if (uid == 0)
	211	- return 1;
	212	-#ifdef PLATFORM_SYS_DIR_UID
	213	- if (uid == PLATFORM_SYS_DIR_UID)
	214	- return 1;
	215	-#endif
	216	- return 0;
	217	-}
	218	diff --git a/readconf.c b/readconf.c
	219	index 6409937..32c4b42 100644
	220	--- a/readconf.c
	221	+++ b/readconf.c
	222	@@ -37,6 +37,8 @@
	223	#include <stdio.h>
	224	#include <string.h>
	225	#include <unistd.h>
	226	+#include <pwd.h>
	227	+#include <grp.h>
	228	#ifdef HAVE_UTIL_H
	229	#include <util.h>
	230	#endif
	231	@@ -1477,8 +1479,7 @@ read_config_file(const char filename, struct passwd pw, const char *host,
	232
	233	if (fstat(fileno(f), &sb) == -1)
	234	fatal("fstat %s: %s", filename, strerror(errno));
	235	- if (((sb.st_uid != 0 && sb.st_uid != getuid()) \|\|
	236	- (sb.st_mode & 022) != 0))
	237	+ if (!secure_permissions(&sb, getuid()))
	238	fatal("Bad owner or permissions on %s", filename);
	239	}
	240
	241	diff --git a/ssh.1 b/ssh.1
	242	index 27794e2..ff5e6ac 100644
	243	--- a/ssh.1
	244	+++ b/ssh.1
	245	@@ -1352,6 +1352,8 @@ The file format and configuration options are described in
	246	.Xr ssh_config 5 .
	247	Because of the potential for abuse, this file must have strict permissions:
	248	read/write for the user, and not writable by others.
	249	+It may be group-writable provided that the group in question contains only
	250	+the user.
	251	.Pp
	252	.It Pa ~/.ssh/environment
	253	Contains additional definitions for environment variables; see
	254	diff --git a/ssh_config.5 b/ssh_config.5
	255	index 3172fd4..4bf7cbb 100644
	256	--- a/ssh_config.5
	257	+++ b/ssh_config.5
	258	@@ -1529,6 +1529,8 @@ The format of this file is described above.
	259	This file is used by the SSH client.
	260	Because of the potential for abuse, this file must have strict permissions:
	261	read/write for the user, and not accessible by others.
	262	+It may be group-writable provided that the group in question contains only
	263	+the user.
	264	.It Pa /etc/ssh/ssh_config
	265	Systemwide configuration file.
	266	This file provides defaults for those