Bug 1303910
| Summary: | sshd without privilege separation fails to drop privileges | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andreas Schneider <asn> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 23 | CC: | asn, jjelen, mattias.ellert, mgrepl, plautrba, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-7.1p2-4.fc23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-28 12:20:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related to the bug #1269072, which modified behaviour WITH PrivilegeSeparation according to SELinux. Little focus was given to the behaviour without PrivilegeSeparation. If PrivilegeSeparation is on, the privileges are dropped earlier in the child and this branch does not really make any sense. I built scratch build. Can you give it a try if it does solve your problem: http://koji.fedoraproject.org/koji/taskinfo?taskID=12800487 Proposed patch is getting ugly by adding one more check to run this branch without privsep: diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch index 87f53df..d7817e5 100644 --- a/openssh-6.6p1-privsep-selinux.patch +++ b/openssh-6.6p1-privsep-selinux.patch @@ -141,7 +141,7 @@ index 684f867..09048bc 100644 platform_setusercontext(pw); - if (platform_privileged_uidswap()) { -+ if (platform_privileged_uidswap() && !is_child) { ++ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { The following tests passed:
torture_request_env
100% tests passed, 0 tests failed out of 1
Looks good :)
openssh-7.1p2-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255 openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255 openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: sshd with "UsePrivilegeSeparation no" configured isn't able to drop privileged if tries to execute a command. In do_setusercontext(struct passwd *pw) pw->pw_uid = 5000; platform_privileged_uidswap() return 1 (we are root) is_child is 1 This means if (platform_privileged_uidswap() && !is_child) is false and we directly jump to the end: if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); and we die here. Version-Release number of selected component (if applicable): openssh-7.1p2-3.fc23.x86_64