1080154 – sftp / symlink does not create relative links

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1080154 - sftp / symlink does not create relative links

Summary: sftp / symlink does not create relative links

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-24 19:05 UTC by Leon Fauster
Modified:	2015-03-17 15:55 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-04-04 11:14:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Leon Fauster 2014-03-24 19:05:25 UTC

Description of problem:
while being connected via sftp - the usage of symlink will always
create a link with a absolute path. this leads to invalid links
when using chrooted sftp connections. 



Version-Release number of selected component (if applicable):
rpm -q openssh
openssh-5.3p1-94.el6.x86_64



How reproducible:
create chroot config like
tail -16  /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

Subsystem	sftp	internal-sftp
Match Group myexamplegroup
  ForceCommand internal-sftp
  AllowTcpForwarding no
  ChrootDirectory /myexampleroot/service/
  X11Forwarding no

---
login via sftp (with an user in group myexamplegroup)
and do something like this in a subdirectory:

symlink ../example/ test

the result is only valid while being in the sftp session.

outside the chroot the link points to 

test -> /myexampleroot/service/subdir/../example/

which is not valid




Expected results:
relative links

Comment 2 Petr Lautrbach 2014-04-04 11:14:21 UTC

Works for me with sftp client from RHEL-6

sftp> symlink ../bin bin-link
debug3: Wrote 80 bytes for a total of 2797
debug3: Sent message SSH2_FXP_SYMLINK "../bin" -> "/a/bin-link"
debug3: SSH2_FXP_STATUS 0

But I can reproduce this issue using RHEL-7's sftp:

sftp> symlink ../bin bin-link
debug3: Sent message SSH2_FXP_SYMLINK "/a/../bin" -> "/a/bin-link"
debug3: SSH2_FXP_STATUS 0

RHEL-7 bug - #1084079

Comment 3 Leon Fauster 2014-04-11 15:44:47 UTC

indeed it seems to be on client side. i was 
connecting from an osx client to a EL6 server.

this sftp clients works:
========================

el5$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

el6$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013



this sftp client does NOT works:
=================================
osx$ ssh -V
OpenSSH_5.9p1, OpenSSL 0.9.8y 5 Feb 2013



server side for both el5 and el6

Comment 4 Leon Fauster 2015-03-17 15:50:49 UTC

Despite that it works in the rhel ecosystem. 
we have customers that login from 

# ssh -v 2>&1 |head -1
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013

# cat /etc/debian_version 
7.8


I have openssh 6.7p1_0 tested under OSX via macports tested 
but can not create a valid symlink. 

Is this fixed in the upstream project? So that newer releases/sftp clients 
from other distributions can be used to create valid symlinks?


I do not expect this to be a valid behaviour. So, what path should one go
to fix this?

Comment 5 Petr Lautrbach 2015-03-17 15:55:28 UTC

I guess it's fixed in openssh-6.5p1 - http://www.openssh.com/txt/release-6.5 - https://bugzilla.mindrot.org/show_bug.cgi?id=2129

Note You need to log in before you can comment on or make changes to this bug.