time to fix silly ssh bug
ajax at redhat.com
Tue Jun 19 15:17:49 UTC 2012
On 6/19/12 11:02 AM, Kevin Kofler wrote:
> Neal Becker wrote:
>> Jun 19 09:44:41 nbecker5 sshd: Authentication refused: bad
>> ownership or modes for directory /home/nbecker
> Looks like a new change in OpenSSH then, which is IMHO a regression, unless
> there's a clear security vulnerability being addressed there.
So, having actually bothered to read and think about the code now, the
thing it's addressing is that if we're in the same group I can rename
directories in your ~. If there are any other files you own but I can
write to (in directories I can write to), then I can clobber them with
my pubkey and rename them to authorized_keys. If there's another
directory you own but I can write to, I can install that directory as
your ~/.ssh. Then I ssh to the machine with my own pubkey and suddenly
I can log in as you.
Which isn't normally a thing, the way we work, because the group that
owns your ~/.ssh is composed solely of you. But sshd doesn't do the
getgrent() thing to verify that, so it has no choice but to assume that
group-writable directories are potential uid escalation attacks.
The code's not wrong, it's just perhaps not as right as it could be.
That said, since one's ~ is normally group-owned by a group consisting
solely of one user, defaulting it to 755 instead of 775 would make sshd
happy without any real side effects.
More information about the devel