Bug 1303910 - sshd without privilege separation fails to drop privileges
Summary: sshd without privilege separation fails to drop privileges
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-02 12:07 UTC by Andreas Schneider
Modified: 2016-02-28 12:20 UTC (History)
6 users (show)

Fixed In Version: openssh-7.1p2-4.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-28 12:20:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1269072 0 low CLOSED SELinux/PAM: Openssh chage related issue 2021-02-22 00:41:40 UTC

Internal Links: 1269072

Description Andreas Schneider 2016-02-02 12:07:39 UTC 
Description of problem:
sshd with "UsePrivilegeSeparation no" configured isn't able to drop privileged if tries to execute a command.

In do_setusercontext(struct passwd *pw)

pw->pw_uid = 5000;

platform_privileged_uidswap() return 1 (we are root)
is_child is 1

This means

if (platform_privileged_uidswap() && !is_child)

is false and we directly jump to the end:


if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
  fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

and we die here.


Version-Release number of selected component (if applicable):
openssh-7.1p2-3.fc23.x86_64
Comment 1 Jakub Jelen 2016-02-03 10:27:51 UTC 
Related to the bug #1269072, which modified behaviour WITH PrivilegeSeparation according to SELinux. Little focus was given to the behaviour without PrivilegeSeparation.

If PrivilegeSeparation is on, the privileges are dropped earlier in the child and this branch does not really make any sense.

I built scratch build. Can you give it a try if it does solve your problem:
http://koji.fedoraproject.org/koji/taskinfo?taskID=12800487

Proposed patch is getting ugly by adding one more check to run this branch without privsep:

diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch
index 87f53df..d7817e5 100644
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@@ -141,7 +141,7 @@ index 684f867..09048bc 100644
  	platform_setusercontext(pw);
  
 -	if (platform_privileged_uidswap()) {
-+	if (platform_privileged_uidswap() && !is_child) {
++	if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
  		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
Comment 2 Andreas Schneider 2016-02-04 09:04:18 UTC 
The following tests passed:
        torture_request_env

100% tests passed, 0 tests failed out of 1



Looks good :)
Comment 3 Fedora Update System 2016-02-25 10:33:08 UTC 
openssh-7.1p2-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255
Comment 4 Fedora Update System 2016-02-26 20:53:20 UTC 
openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255
Comment 5 Fedora Update System 2016-02-28 12:19:53 UTC 
openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.