Bug 1344614 - sftp -m modifies umask and breaks permissions on new directories
Summary: sftp -m modifies umask and breaks permissions on new directories
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-10 07:41 UTC by Jakub Jelen
Modified: 2020-05-14 15:12 UTC (History)
4 users (show)

Fixed In Version: openssh-6.6.1p1-28.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1341747
Environment:
Last Closed: 2016-11-03 20:20:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2588 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2016-11-03 12:09:45 UTC

Description Jakub Jelen 2016-06-10 07:41:34 UTC
This is also applicable on RHEL7.2 and therefore it should get fixed also there.

+++ This bug was initially created as a clone of Bug #1341747 +++

Description of problem:

sftp -m doesn't work as advertised.

Reference- https://access.redhat.com/solutions/32851

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

How reproducible:
Always.

Steps to Reproduce:

As root: su -

01. yum install openssh openssh-server openssh-clients
02. useradd testuser
   # grep testuser /etc/passwd
   testuser:x:502:502::/home/testuser:/bin/bash
03. passwd testuser
04. vim /etc/ssh/sshd_config 
   modify the file as shown in *figure 1*
05. service sshd restart
06. # mkdir -p /www/server/docs ; chown testuser /www/server/docs ; chgrp testuser /www/server/docs
   compare permissions to *figure 2*
07. su - testuser
   $ pwd
   /home/testuser
08. mkdir test ; cd test
   $ pwd
   /home/testuser/test
09. touch 1 2 3
   $ ls
   1  2  3
10. setenforce 0
    disable selinux to simplify the permissions test
11. $ sftp localhost
   Connecting to localhost...
   testuser@localhost's password: 
12. sftp> cd docs
13. sftp> put 1
14. sftp> mkdir a
15. sftp> exit
16. # pwd
   /www/server/docs
17. # ls -la
total 12
   drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:19 .
   drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
   -rw-rw-r--. 1 testuser testuser    0 Jun  1 12:18 1 <<<
   drwxrwxrwx. 2 testuser testuser 4096 Jun  1 12:19 b <<<
18. $ umask
    0002
    The umask for files and directories have not been 
    changed from the RHEL 6 default


figure 1: 

# cat /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem     sftp    internal-sftp

Match user testuser
   ChrootDirectory /www/server
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp -m 664

figure 2:

# ls -la /www/server/
total 12
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 .
drwxr-xr-x. 3 root     root     4096 Jun  1 11:57 ..
drwxr-xr-x. 3 testuser testuser 4096 Jun  1 12:12 docs

Actual results:
File (1) got the right permissions (664), but the directory (b) has elevated write permissions (777).

Expected results:
664 permissions

Additional info:
Oddly, if you continue to create subsiquent directories, they will have the correct permissions.

sftp> mkdir c
sftp> mkdir d

...
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:28 c
drwxr-xr-x. 2 testuser testuser 4096 Jun  1 12:29 d

--- Additional comment from Jakub Jelen on 2016-06-09 13:48 CEST ---

Ouch. That is embarrassing.

If you would create the directory first and the file later, it would get the expected permissions. But you did the file first and then the umask is overwritten (for file creation) and not restored afterward, which is certainly a bug. It probably slipped through both me and our testing.

Tested patch is available.

Comment 5 errata-xmlrpc 2016-11-03 20:20:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2588.html


Note You need to log in before you can comment on or make changes to this bug.