Subject: Re: SSH and sticky mode in directories
To: None <tech-userlevel@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: tech-userlevel
Date: 12/20/2007 19:50:49
On Thu, 20 Dec 2007, Julio M. Merino Vidal wrote:
> The problem I'm having is that the server refuses to open the
> authorized_keys file because one of its path components is a
> group/other-writable directory (that is, /tmp).
Last time I checked, sshd didn't do a full path walk, it just checked
a few directories and files (I think only ~user, ~user/.ssh, and
~user/.ssh/authorized_keys), so putting your data one level deeper in
the directory tree might help.
> And I think that's incorrect, because it should also take into account
> the fact that the directory has the sticky bit set. If that bit is
> set, I don't see how being group/other-writable is a problem. Can
> anybody see any security implications of relaxing this permission
> check to make sure that the directory is not group/other-writable or,
> if it is, it is also marked as sticky?
If authorized_keys does not exist, but ~user/.ssh is group or world
writable with the sticky bit set, then an attacker could create an
authorized_keys file. Similarly if ~user/.ssh doesn't exist but ~user
is group or world writable with the sticky bit set.
Also, the semantics of the sticky bit are not specified by POSIX, so
portable OpenSSH might not want to depend on it.
--apb (Alan Barrett)