Subject: Re: SSH and sticky mode in directories
To: None <tech-userlevel@netbsd.org>
From: Christos Zoulas <christos@astron.com>
List: tech-userlevel
Date: 12/20/2007 21:55:36
In article <60CF69D6-FD26-47D5-B72B-1B91D46D5D39@ac.upc.edu>,
Julio M. Merino Vidal <jmerino@ac.upc.edu> wrote:
>Hi,
>
>First of all, I'm not sure if this message really belongs to this  
>list, but I think it can be properly discussed here.  (OK, surely  
>not, it should be put in the OpenSSH mailing list, whatever it is,  
>but I first would like to hear some comments here.)
>
>I'm trying to set up some automated tests for psshfs, and to do that  
>I automatically configure a new SSH server (running as an  
>unprivileged user or root, it does not matter).  The test uses a  
>secure subdirectory in /tmp (such as /tmp/atf.123456) to store all of  
>its files, which include the configuration files for the SSH server  
>as well as all the user's keys and authorized_keys files (generated  
>at run time to do a temporary password-less login).
>
>The problem I'm having is that the server refuses to open the  
>authorized_keys file because one of its path components is a group/ 
>other-writable directory (that is, /tmp).  And I think that's  
>incorrect, because it should also take into account the fact that the  
>directory has the sticky bit set.  If that bit is set, I don't see  
>how being group/other-writable is a problem.  Can anybody see any  
>security implications of relaxing this permission check to make sure  
>that the directory is not group/other-writable or, if it is, it is  
>also marked as sticky?
>
>If you think this is OK, can we have this fix committed to our copy  
>of SSH, or should it be first passed through the OpenSSH developers?
>
>While looking at the code, I've found that many different files  
>opened by it can suffer from this problem, so I've mechanically fixed  
>all the occurrences of similar code.  Patch below, just for review  
>for now.

I'd pass it to the OpenSSH folks first.

christos