1341747 – sftp -m doesn't work as advertised

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1341747 - sftp -m doesn't work as advertised

Summary: sftp -m doesn't work as advertised

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Stefan Dordevic
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1269194
TreeView+	depends on / blocked

Reported:	2016-06-01 16:33 UTC by Bryan Totty
Modified:	2020-05-14 15:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openssh-5.3p1-119.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1344614 (view as bug list)
Environment:
Last Closed:	2017-03-21 10:02:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch restoring old umask settings (915 bytes, patch) 2016-06-09 11:48 UTC, Jakub Jelen	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0641	0	normal	SHIPPED_LIVE	Moderate: openssh security and bug fix update	2017-03-21 12:31:22 UTC

Description Bryan Totty 2016-06-01 16:33:36 UTC

Description of problem:

sftp -m doesn't work as advertised.

Reference- https://access.redhat.com/solutions/32851

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

How reproducible:
Always.

Steps to Reproduce:

As root: su -

01. yum install openssh openssh-server openssh-clients
02. useradd testuser
   # grep testuser /etc/passwd
   testuser:x:502:502::/home/testuser:/bin/bash
03. passwd testuser
04. vim /etc/ssh/sshd_config 
   modify the file as shown in *figure 1*
05. service sshd restart
06. # mkdir -p /www/server/docs ; chown testuser /www/server/docs ; chgrp testuser /www/server/docs
   compare permissions to *figure 2*
07. su - testuser
   $ pwd
   /home/testuser
08. mkdir test ; cd test
   $ pwd
   /home/testuser/test
09. touch 1 2 3
   $ ls
   1  2  3
10. setenforce 0
    disable selinux to simplify the permissions test
11. $ sftp localhost
   Connecting to localhost...
   testuser@localhost's password: 
12. sftp> cd docs
13. sftp> put 1
14. sftp> mkdir a
15. sftp> exit
16. # pwd
   /www/server/docs
17. # ls -la
total 12
   drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:19 .
   drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
   -rw-rw-r--. 1 testuser testuser    0 Jun  1 12:18 1 <<<
   drwxrwxrwx. 2 testuser testuser 4096 Jun  1 12:19 b <<<
18. $ umask
    0002
    The umask for files and directories have not been 
    changed from the RHEL 6 default


figure 1: 

# cat /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem     sftp    internal-sftp

Match user testuser
   ChrootDirectory /www/server
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp -m 664

figure 2:

# ls -la /www/server/
total 12
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 .
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:12 docs

Actual results:
File (1) got the right permissions (664), but the directory (b) has elevated write permissions (777).

Expected results:
664 permissions

Additional info:
Oddly, if you continue to create subsiquent directories, they will have the correct permissions.

sftp> mkdir c
sftp> mkdir d

...
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:28 c
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:29 d

Comment 1 Jakub Jelen 2016-06-02 08:17:50 UTC

Manual page describes the option as

   -m force_file_perms
      Sets explicit file permissions to be applied to newly-created files [...]

It affects only files. Created directories are not affected by this option, because directory permissions are of different nature.

The directory creation is affected only by the umask (-u) settings and permission inheritance in filesystem. Maybe the note

    Option -u is ineffective if -m is set.

is a bit misleading, since it still applies on the directories.

Can you verify with customer that the settings 

   ForceCommand internal-sftp -m 664 -u 113

will solve the issue in this case?

Comment 2 Ashlee Burch 2016-06-07 20:26:01 UTC

Response from Customer:

No, it doesn't ( you should be able to try it yourself too):

Config file:

[..]
Match user deployhq
   AllowTCPForwarding no
   X11Forwarding no
   # next one gave me 644 for files, drwxrwsr-x for dir
   #ForceCommand internal-sftp -u 002
   # next one gave me 664 for file; 777 for dir
   #ForceCommand internal-sftp -m 664
   # Trying what Redhat says:
   ForceCommand internal-sftp -m 664 -u 113
----------------
# ls -l
total 8
-rw-rw-r--. 1 deployhq cms  499 Jun  7 15:12 a
drwxrwsrwx. 2 deployhq cms 4096 Jun  7 15:12 b

Please advise.

Comment 3 Jakub Jelen 2016-06-09 11:48:23 UTC

Created attachment 1166246 [details]
patch restoring old umask settings

Ouch. That is embarrassing.

If you would create the directory first and the file later, it would get the expected permissions. But you did the file first and then the umask is overwritten (for file creation) and not restored afterward, which is certainly a bug. It probably slipped through both me and our testing.

The attached patch should solve the issue. I attached also the scratch build with this patch applied:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11160702

Can you verify that it works for you too (or possibly with a customer?).

Comment 12 errata-xmlrpc 2017-03-21 10:02:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0641.html

Note You need to log in before you can comment on or make changes to this bug.