Bug 1398527

Summary: SFTP chroot users are unable to upload to a subdirectory in home folder with supplementary group ownership after upgrading to latest version of openssh
Product: Red Hat Enterprise Linux 7 Reporter: Sandeep MJ <sjayapra>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: cpatters, szidek, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-08 07:51:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sandeep MJ 2016-11-25 06:06:22 UTC 
Description of problem:

After upgrading to "openssh-6.6.1p1-31.el7.x86_64", sftp chroot users are unable to write/execute to a sub-directory in their home folder. The sub directory's ownership is different, though the sftp user is a part of the group, of the new ownership.  

This was working fine in "openssh-6.6.1p1-25.el7_2.x86_64"

Version-Release number of selected component (if applicable): openssh-6.6.1p1-31.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Follow steps to create SFTP chroot users as per: https://access.redhat.com/solutions/20764

2. Create an additional group, add it as a supplementary group of the sftp user.

3. Within the home directory of the sftp user, create a sub-directory with the new group ownership.

4. SFTP in and attempt put, get and rm commands after moving into the sub directory


Additional info:

Reproducer details -

# getenforce
Permissive

sftp user: test-user
Supplementary group: oper

# id test-user
uid=1000(test-user) gid=1000(sftponly) groups=1000(sftponly),1002(oper)

# grep test-user /etc/passwd
test-user:x:1000:1000::/myhome:/bin/false

/etc/ssh/sshd_config:
...
Subsystem       sftp    internal-sftp
Match Group sftponly
                ChrootDirectory /chroots/%u
                AllowTcpForwarding no
                ForceCommand internal-sftp
                X11Forwarding no

# ll -R /chroots/
/chroots/:
total 0
drwxr-xr-x. 3 root root 19 Nov 25 12:27 test-user

/chroots/test-user:
total 0
drwxr-xr-x. 3 test-user sftponly 20 Nov 25 14:45 myhome

/chroots/test-user/myhome:
total 0
drwxrwxr-x. 2 root oper 32 Nov 25 15:10 testdir


Actual results:

sftp> pwd
Remote working directory: /myhome
sftp> put test.txt 
Uploading test.txt to /myhome/test.txt
test.txt                                                                                                                                                                      100%    0     0.0KB/s   00:00 
sftp> cd testdir/

sftp> put test.txt 
Uploading test.txt to /myhome/testdir/test.txt
remote open("/myhome/testdir/test.txt"): Permission denied

sftp> get sub_list 
Fetching /myhome/testdir/sub_list to sub_list
/myhome/testdir/sub_list                                                                                                                                                      100%  166    36.9KB/s   00:00  

sftp> rm sub_list 
Removing /myhome/testdir/sub_list
Couldn't delete file: Permission denied


Expected results:

sftp> put mozilla.pdf
Uploading mozilla.pdf to /myhome/testdir/mozilla.pdf
mozilla.pdf  

sftp> rm mozilla.pdf 
Removing /myhome/testdir/mozilla.pdf


Other logs:

- Nothing in /var/lg/secure on tailing this when it happens, LogLevel is DEBUG3.
- strace of the sftp process on the server shows:

# strace -ttTvf -s 4096 -p 12675
Process 12675 attached
14:54:42.664495 select(2, [0], [], NULL, NULL) = 1 (in [0]) <9.040468>
14:54:51.732312 read(0, "\0\0\0-\3\0\0\0$\0\0\0\30/myhome/testdir/test.txt\0\0\0\32\0\0\0\4\0\0\1\264", 16384) = 49 <0.001814>
14:54:51.738676 open("/myhome/testdir/test.txt", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES (Permission denied) <0.003286>
14:54:51.753734 select(2, [0], [1], NULL, NULL) = 1 (out [1]) <0.002482>
14:54:51.762840 write(1, "\0\0\0\"e\0\0\0$\0\0\0\3\0\0\0\21Permission denied\0\0\0\0", 38) = 38 <0.002549>
14:54:51.773565 select(2, [0], [], NULL, NULL