Bug 1398569
| Summary: | sftp/ssh ignores group permissions | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | SHAURYA <sshaurya> | |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> | |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> | |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | urgent | |||
| Version: | 7.3 | CC: | bugzilla.redhat.com, bugzilla-redhat, dbodnarc, dhcpme, fkrska, jjelen, ksrot, markus.doering, mjahoda, mkolaja, mmezynsk, nmavrogi, santony, sdordevi, sjayapra, szidek, xhejtman, zn3zman, zpytela | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openssh-6.6.1p1-32.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
In Red Hat Enterprise Linux 7.3, the chroot setup in OpenSSH did not work properly. Secondary groups of users in chroot were not correctly initialized, and capabilities were trimmed for these users. The chroot setup was fixed to match earlier behavior, and groups and capabilities of users set up using OpenSSH chroot now work as expected.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1399640 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 18:42:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1399640 | |||
|
Description
SHAURYA
2016-11-25 10:16:25 UTC
*** Bug 1388359 has been marked as a duplicate of this bug. *** *** Bug 1398527 has been marked as a duplicate of this bug. *** We have also encountered this since CentOS 7.3 has picked up this change and pushed it out.
It appears to be because the capng_change_id call in patch 941 has the "CAPNG_DROP_SUPP_GRP" flag included rather than the "CAPNG_INIT_SUPP_GRP" flag.
Changing this in the patch and rebuilding the RPM allows the secondary groups to work once more.
i.e. openssh-6.6p1/session.c line 1646
change CAPNG_DROP_SUPP_GRP to CAPNG_INIT_SUPP_GRP. git diff is:
diff --git a/SOURCES/openssh-6.6p1-chroot-capabilities.patch b/SOURCES/openssh-6.6p1-chroot-capabilities.patch
index 4fb3f21..b89ba25 100644
--- a/SOURCES/openssh-6.6p1-chroot-capabilities.patch
+++ b/SOURCES/openssh-6.6p1-chroot-capabilities.patch
@@ -69,7 +69,7 @@ diff -up openssh-6.6p1/session.c.chroot-cap openssh-6.6p1/session.c
+ /* drop suid soon, retain SYS_CHROOT capability */
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
-+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
++ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
+#endif
#ifdef WITH_SELINUX
I've not investigated the possible repercussions (security or otherwise) of this change beyond that it appears to resolve this regression.
(I can't see the RedHat Solution to see what it shows as the solution)
*** Bug 1404835 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2029 |