Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1341747 - sftp -m doesn't work as advertised
sftp -m doesn't work as advertised
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh (Show other bugs)
6.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jakub Jelen
Stefan Dordevic
: Patch
Depends On:
Blocks: 1269194
  Show dependency treegraph
 
Reported: 2016-06-01 12:33 EDT by Bryan Totty
Modified: 2017-03-21 06:02 EDT (History)
7 users (show)

See Also:
Fixed In Version: openssh-5.3p1-119.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1344614 (view as bug list)
Environment:
Last Closed: 2017-03-21 06:02:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch restoring old umask settings (915 bytes, patch)
2016-06-09 07:48 EDT, Jakub Jelen 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0641 normal SHIPPED_LIVE Moderate: openssh security and bug fix update 2017-03-21 08:31:22 EDT

  None (edit)
Description Bryan Totty 2016-06-01 12:33:36 EDT 
Description of problem:

sftp -m doesn't work as advertised.

Reference- https://access.redhat.com/solutions/32851

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

How reproducible:
Always.

Steps to Reproduce:

As root: su -

01. yum install openssh openssh-server openssh-clients
02. useradd testuser
   # grep testuser /etc/passwd
   testuser:x:502:502::/home/testuser:/bin/bash
03. passwd testuser
04. vim /etc/ssh/sshd_config 
   modify the file as shown in *figure 1*
05. service sshd restart
06. # mkdir -p /www/server/docs ; chown testuser /www/server/docs ; chgrp testuser /www/server/docs
   compare permissions to *figure 2*
07. su - testuser
   $ pwd
   /home/testuser
08. mkdir test ; cd test
   $ pwd
   /home/testuser/test
09. touch 1 2 3
   $ ls
   1  2  3
10. setenforce 0
    disable selinux to simplify the permissions test
11. $ sftp localhost
   Connecting to localhost...
   testuser@localhost's password: 
12. sftp> cd docs
13. sftp> put 1
14. sftp> mkdir a
15. sftp> exit
16. # pwd
   /www/server/docs
17. # ls -la
total 12
   drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:19 .
   drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
   -rw-rw-r--. 1 testuser testuser    0 Jun  1 12:18 1 <<<
   drwxrwxrwx. 2 testuser testuser 4096 Jun  1 12:19 b <<<
18. $ umask
    0002
    The umask for files and directories have not been 
    changed from the RHEL 6 default


figure 1: 

# cat /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem     sftp    internal-sftp

Match user testuser
   ChrootDirectory /www/server
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp -m 664

figure 2:

# ls -la /www/server/
total 12
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 .
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:12 docs

Actual results:
File (1) got the right permissions (664), but the directory (b) has elevated write permissions (777).

Expected results:
664 permissions

Additional info:
Oddly, if you continue to create subsiquent directories, they will have the correct permissions.

sftp> mkdir c
sftp> mkdir d

...
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:28 c
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:29 d
Comment 1 Jakub Jelen 2016-06-02 04:17:50 EDT 
Manual page describes the option as

   -m force_file_perms
      Sets explicit file permissions to be applied to newly-created files [...]

It affects only files. Created directories are not affected by this option, because directory permissions are of different nature.

The directory creation is affected only by the umask (-u) settings and permission inheritance in filesystem. Maybe the note

    Option -u is ineffective if -m is set.

is a bit misleading, since it still applies on the directories.

Can you verify with customer that the settings 

   ForceCommand internal-sftp -m 664 -u 113

will solve the issue in this case?
Comment 2 Ashlee Burch 2016-06-07 16:26:01 EDT 
Response from Customer:

No, it doesn't ( you should be able to try it yourself too):

Config file:

[..]
Match user deployhq
   AllowTCPForwarding no
   X11Forwarding no
   # next one gave me 644 for files, drwxrwsr-x for dir
   #ForceCommand internal-sftp -u 002
   # next one gave me 664 for file; 777 for dir
   #ForceCommand internal-sftp -m 664
   # Trying what Redhat says:
   ForceCommand internal-sftp -m 664 -u 113
----------------
# ls -l
total 8
-rw-rw-r--. 1 deployhq cms  499 Jun  7 15:12 a
drwxrwsrwx. 2 deployhq cms 4096 Jun  7 15:12 b

Please advise.
Comment 3 Jakub Jelen 2016-06-09 07:48 EDT 
Created attachment 1166246 [details]
patch restoring old umask settings

Ouch. That is embarrassing.

If you would create the directory first and the file later, it would get the expected permissions. But you did the file first and then the umask is overwritten (for file creation) and not restored afterward, which is certainly a bug. It probably slipped through both me and our testing.

The attached patch should solve the issue. I attached also the scratch build with this patch applied:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11160702

Can you verify that it works for you too (or possibly with a customer?).
Comment 12 errata-xmlrpc 2017-03-21 06:02:17 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0641.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.