1398527 – SFTP chroot users are unable to upload to a subdirectory in home folder with supplementary group ownership after upgrading to latest version of openssh

Bug 1398527 - SFTP chroot users are unable to upload to a subdirectory in home folder with supplementary group ownership after upgrading to latest version of openssh

Summary: SFTP chroot users are unable to upload to a subdirectory in home folder with ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1398569
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-25 06:06 UTC by Sandeep MJ
Modified:	2021-04-23 04:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-08 07:51:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sandeep MJ 2016-11-25 06:06:22 UTC

Description of problem:

After upgrading to "openssh-6.6.1p1-31.el7.x86_64", sftp chroot users are unable to write/execute to a sub-directory in their home folder. The sub directory's ownership is different, though the sftp user is a part of the group, of the new ownership.  

This was working fine in "openssh-6.6.1p1-25.el7_2.x86_64"

Version-Release number of selected component (if applicable): openssh-6.6.1p1-31.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Follow steps to create SFTP chroot users as per: https://access.redhat.com/solutions/20764

2. Create an additional group, add it as a supplementary group of the sftp user.

3. Within the home directory of the sftp user, create a sub-directory with the new group ownership.

4. SFTP in and attempt put, get and rm commands after moving into the sub directory


Additional info:

Reproducer details -

# getenforce
Permissive

sftp user: test-user
Supplementary group: oper

# id test-user
uid=1000(test-user) gid=1000(sftponly) groups=1000(sftponly),1002(oper)

# grep test-user /etc/passwd
test-user:x:1000:1000::/myhome:/bin/false

/etc/ssh/sshd_config:
...
Subsystem       sftp    internal-sftp
Match Group sftponly
                ChrootDirectory /chroots/%u
                AllowTcpForwarding no
                ForceCommand internal-sftp
                X11Forwarding no

# ll -R /chroots/
/chroots/:
total 0
drwxr-xr-x. 3 root root 19 Nov 25 12:27 test-user

/chroots/test-user:
total 0
drwxr-xr-x. 3 test-user sftponly 20 Nov 25 14:45 myhome

/chroots/test-user/myhome:
total 0
drwxrwxr-x. 2 root oper 32 Nov 25 15:10 testdir


Actual results:

sftp> pwd
Remote working directory: /myhome
sftp> put test.txt 
Uploading test.txt to /myhome/test.txt
test.txt                                                                                                                                                                      100%    0     0.0KB/s   00:00 
sftp> cd testdir/

sftp> put test.txt 
Uploading test.txt to /myhome/testdir/test.txt
remote open("/myhome/testdir/test.txt"): Permission denied

sftp> get sub_list 
Fetching /myhome/testdir/sub_list to sub_list
/myhome/testdir/sub_list                                                                                                                                                      100%  166    36.9KB/s   00:00  

sftp> rm sub_list 
Removing /myhome/testdir/sub_list
Couldn't delete file: Permission denied


Expected results:

sftp> put mozilla.pdf
Uploading mozilla.pdf to /myhome/testdir/mozilla.pdf
mozilla.pdf  

sftp> rm mozilla.pdf 
Removing /myhome/testdir/mozilla.pdf


Other logs:

- Nothing in /var/lg/secure on tailing this when it happens, LogLevel is DEBUG3.
- strace of the sftp process on the server shows:

# strace -ttTvf -s 4096 -p 12675
Process 12675 attached
14:54:42.664495 select(2, [0], [], NULL, NULL) = 1 (in [0]) <9.040468>
14:54:51.732312 read(0, "\0\0\0-\3\0\0\0$\0\0\0\30/myhome/testdir/test.txt\0\0\0\32\0\0\0\4\0\0\1\264", 16384) = 49 <0.001814>
14:54:51.738676 open("/myhome/testdir/test.txt", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES (Permission denied) <0.003286>
14:54:51.753734 select(2, [0], [1], NULL, NULL) = 1 (out [1]) <0.002482>
14:54:51.762840 write(1, "\0\0\0\"e\0\0\0$\0\0\0\3\0\0\0\21Permission denied\0\0\0\0", 38) = 38 <0.002549>
14:54:51.773565 select(2, [0], [], NULL, NULL

Note You need to log in before you can comment on or make changes to this bug.