diff options
Diffstat (limited to 'debian/patches/user-group-modes.patch')
-rw-r--r-- | debian/patches/user-group-modes.patch | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch new file mode 100644 index 000000000..bc2390e06 --- /dev/null +++ b/debian/patches/user-group-modes.patch | |||
@@ -0,0 +1,210 @@ | |||
1 | From 7b931d36ad36a93d2b1811858ca29408ec44ecae Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | ||
4 | Subject: Allow harmless group-writability | ||
5 | |||
6 | Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be | ||
7 | group-writable, provided that the group in question contains only the file's | ||
8 | owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding | ||
9 | about the contents of gr->gr_mem). Given that per-user groups and umask 002 | ||
10 | are the default setup in Debian (for good reasons - this makes operating in | ||
11 | setgid directories with other groups much easier), we need to permit this by | ||
12 | default. | ||
13 | |||
14 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | ||
15 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | ||
16 | Last-Update: 2017-10-04 | ||
17 | |||
18 | Patch-Name: user-group-modes.patch | ||
19 | --- | ||
20 | auth-rhosts.c | 6 ++---- | ||
21 | auth.c | 3 +-- | ||
22 | misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++----- | ||
23 | misc.h | 2 ++ | ||
24 | readconf.c | 3 +-- | ||
25 | ssh.1 | 2 ++ | ||
26 | ssh_config.5 | 2 ++ | ||
27 | 7 files changed, 63 insertions(+), 13 deletions(-) | ||
28 | |||
29 | diff --git a/auth-rhosts.c b/auth-rhosts.c | ||
30 | index 57296e1f6..546aa0495 100644 | ||
31 | --- a/auth-rhosts.c | ||
32 | +++ b/auth-rhosts.c | ||
33 | @@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | ||
34 | return 0; | ||
35 | } | ||
36 | if (options.strict_modes && | ||
37 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
38 | - (st.st_mode & 022) != 0)) { | ||
39 | + !secure_permissions(&st, pw->pw_uid)) { | ||
40 | logit("Rhosts authentication refused for %.100s: " | ||
41 | "bad ownership or modes for home directory.", pw->pw_name); | ||
42 | auth_debug_add("Rhosts authentication refused for %.100s: " | ||
43 | @@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | ||
44 | * allowing access to their account by anyone. | ||
45 | */ | ||
46 | if (options.strict_modes && | ||
47 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
48 | - (st.st_mode & 022) != 0)) { | ||
49 | + !secure_permissions(&st, pw->pw_uid)) { | ||
50 | logit("Rhosts authentication refused for %.100s: bad modes for %.200s", | ||
51 | pw->pw_name, buf); | ||
52 | auth_debug_add("Bad file modes for %.200s", buf); | ||
53 | diff --git a/auth.c b/auth.c | ||
54 | index d8e6b4a3d..9d1d453f1 100644 | ||
55 | --- a/auth.c | ||
56 | +++ b/auth.c | ||
57 | @@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, | ||
58 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | ||
59 | if (options.strict_modes && | ||
60 | (stat(user_hostfile, &st) == 0) && | ||
61 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
62 | - (st.st_mode & 022) != 0)) { | ||
63 | + !secure_permissions(&st, pw->pw_uid)) { | ||
64 | logit("Authentication refused for %.100s: " | ||
65 | "bad owner or modes for %.200s", | ||
66 | pw->pw_name, user_hostfile); | ||
67 | diff --git a/misc.c b/misc.c | ||
68 | index bdc06fdb3..5159e6692 100644 | ||
69 | --- a/misc.c | ||
70 | +++ b/misc.c | ||
71 | @@ -58,8 +58,9 @@ | ||
72 | #include <netdb.h> | ||
73 | #ifdef HAVE_PATHS_H | ||
74 | # include <paths.h> | ||
75 | -#include <pwd.h> | ||
76 | #endif | ||
77 | +#include <pwd.h> | ||
78 | +#include <grp.h> | ||
79 | #ifdef SSH_TUN_OPENBSD | ||
80 | #include <net/if.h> | ||
81 | #endif | ||
82 | @@ -1028,6 +1029,55 @@ percent_expand(const char *string, ...) | ||
83 | #undef EXPAND_MAX_KEYS | ||
84 | } | ||
85 | |||
86 | +int | ||
87 | +secure_permissions(struct stat *st, uid_t uid) | ||
88 | +{ | ||
89 | + if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) | ||
90 | + return 0; | ||
91 | + if ((st->st_mode & 002) != 0) | ||
92 | + return 0; | ||
93 | + if ((st->st_mode & 020) != 0) { | ||
94 | + /* If the file is group-writable, the group in question must | ||
95 | + * have exactly one member, namely the file's owner. | ||
96 | + * (Zero-member groups are typically used by setgid | ||
97 | + * binaries, and are unlikely to be suitable.) | ||
98 | + */ | ||
99 | + struct passwd *pw; | ||
100 | + struct group *gr; | ||
101 | + int members = 0; | ||
102 | + | ||
103 | + gr = getgrgid(st->st_gid); | ||
104 | + if (!gr) | ||
105 | + return 0; | ||
106 | + | ||
107 | + /* Check primary group memberships. */ | ||
108 | + while ((pw = getpwent()) != NULL) { | ||
109 | + if (pw->pw_gid == gr->gr_gid) { | ||
110 | + ++members; | ||
111 | + if (pw->pw_uid != uid) | ||
112 | + return 0; | ||
113 | + } | ||
114 | + } | ||
115 | + endpwent(); | ||
116 | + | ||
117 | + pw = getpwuid(st->st_uid); | ||
118 | + if (!pw) | ||
119 | + return 0; | ||
120 | + | ||
121 | + /* Check supplementary group memberships. */ | ||
122 | + if (gr->gr_mem[0]) { | ||
123 | + ++members; | ||
124 | + if (strcmp(pw->pw_name, gr->gr_mem[0]) || | ||
125 | + gr->gr_mem[1]) | ||
126 | + return 0; | ||
127 | + } | ||
128 | + | ||
129 | + if (!members) | ||
130 | + return 0; | ||
131 | + } | ||
132 | + return 1; | ||
133 | +} | ||
134 | + | ||
135 | int | ||
136 | tun_open(int tun, int mode, char **ifname) | ||
137 | { | ||
138 | @@ -1786,8 +1836,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | ||
139 | snprintf(err, errlen, "%s is not a regular file", buf); | ||
140 | return -1; | ||
141 | } | ||
142 | - if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || | ||
143 | - (stp->st_mode & 022) != 0) { | ||
144 | + if (!secure_permissions(stp, uid)) { | ||
145 | snprintf(err, errlen, "bad ownership or modes for file %s", | ||
146 | buf); | ||
147 | return -1; | ||
148 | @@ -1802,8 +1851,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | ||
149 | strlcpy(buf, cp, sizeof(buf)); | ||
150 | |||
151 | if (stat(buf, &st) < 0 || | ||
152 | - (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || | ||
153 | - (st.st_mode & 022) != 0) { | ||
154 | + !secure_permissions(&st, uid)) { | ||
155 | snprintf(err, errlen, | ||
156 | "bad ownership or modes for directory %s", buf); | ||
157 | return -1; | ||
158 | diff --git a/misc.h b/misc.h | ||
159 | index 31b207a8d..aaf966e65 100644 | ||
160 | --- a/misc.h | ||
161 | +++ b/misc.h | ||
162 | @@ -168,6 +168,8 @@ int safe_path_fd(int, const char *, struct passwd *, | ||
163 | char *read_passphrase(const char *, int); | ||
164 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | ||
165 | |||
166 | +int secure_permissions(struct stat *st, uid_t uid); | ||
167 | + | ||
168 | #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) | ||
169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) | ||
170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) | ||
171 | diff --git a/readconf.c b/readconf.c | ||
172 | index 052d4b1ac..6b01f20d2 100644 | ||
173 | --- a/readconf.c | ||
174 | +++ b/readconf.c | ||
175 | @@ -1820,8 +1820,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, | ||
176 | |||
177 | if (fstat(fileno(f), &sb) == -1) | ||
178 | fatal("fstat %s: %s", filename, strerror(errno)); | ||
179 | - if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | ||
180 | - (sb.st_mode & 022) != 0)) | ||
181 | + if (!secure_permissions(&sb, getuid())) | ||
182 | fatal("Bad owner or permissions on %s", filename); | ||
183 | } | ||
184 | |||
185 | diff --git a/ssh.1 b/ssh.1 | ||
186 | index 7760c3075..81f29af43 100644 | ||
187 | --- a/ssh.1 | ||
188 | +++ b/ssh.1 | ||
189 | @@ -1485,6 +1485,8 @@ The file format and configuration options are described in | ||
190 | .Xr ssh_config 5 . | ||
191 | Because of the potential for abuse, this file must have strict permissions: | ||
192 | read/write for the user, and not writable by others. | ||
193 | +It may be group-writable provided that the group in question contains only | ||
194 | +the user. | ||
195 | .Pp | ||
196 | .It Pa ~/.ssh/environment | ||
197 | Contains additional definitions for environment variables; see | ||
198 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
199 | index 54e143c93..7d55fa820 100644 | ||
200 | --- a/ssh_config.5 | ||
201 | +++ b/ssh_config.5 | ||
202 | @@ -1835,6 +1835,8 @@ The format of this file is described above. | ||
203 | This file is used by the SSH client. | ||
204 | Because of the potential for abuse, this file must have strict permissions: | ||
205 | read/write for the user, and not accessible by others. | ||
206 | +It may be group-writable provided that the group in question contains only | ||
207 | +the user. | ||
208 | .It Pa /etc/ssh/ssh_config | ||
209 | Systemwide configuration file. | ||
210 | This file provides defaults for those | ||