Hide Forgot
Description of problem: I have this problem only on RHEL 7.3 servers, under RHEL 6.x and RHEL 7.2 it works: Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: The sftp process uses this Chrootdirectory "/srv/test". I will add the sosreport, so you can see the configuration in /etc/ssh/sshd_config. [root@vihla098 test]# pwd /srv/test [root@vihla098 test]# ls -la total 16 drwxr-xr-x 4 root root 4096 Nov 17 12:01 . drwxr-xr-x. 3 root root 4096 Nov 17 10:53 .. drwxrwx--- 2 root yumftp 4096 Nov 17 12:01 test1 drwxrwx--- 2 root ifxuser 4096 Nov 17 08:56 test2 [root@vihla098 test]# id thaller uid=9824(thaller) gid=30000(ifxuser) groups=30000(ifxuser),18850(spt9_mod),11050(ezmdcad),17218(itosdsm),10061(obiwan),56789(yumftp),999929(j750),17235(psc) Now I try to access the server using sftp: -bash-4.1$ sftp thaller@vihla098 Connecting to vihla098... sftp> ls test1 test2 sftp> cd test2 sftp> ls sftp> put x Uploading x to /test2/x x 100% 0 0.0KB/s 00:00 sftp> put z Uploading z to /test2/z z 100% 0 0.0KB/s 00:00 sftp> ls x z sftp> cd .. sftp> cd test1 sftp> ls Couldn't get handle: Permission denied sftp> put x Uploading x to /test1/x Couldn't get handle: Permission denied sftp> cd .. sftp> ls -l drwxrwx--- 2 0 yumftp 4096 Nov 17 11:01 test1 drwxrwx--- 2 0 ifxuser 4096 Nov 17 11:31 test2 sftp> Actual results: Permission denied to secondary group member Expected results: Should be allowed Additional info:
*** Bug 1388359 has been marked as a duplicate of this bug. ***
*** Bug 1398527 has been marked as a duplicate of this bug. ***
We have also encountered this since CentOS 7.3 has picked up this change and pushed it out. It appears to be because the capng_change_id call in patch 941 has the "CAPNG_DROP_SUPP_GRP" flag included rather than the "CAPNG_INIT_SUPP_GRP" flag. Changing this in the patch and rebuilding the RPM allows the secondary groups to work once more. i.e. openssh-6.6p1/session.c line 1646 change CAPNG_DROP_SUPP_GRP to CAPNG_INIT_SUPP_GRP. git diff is: diff --git a/SOURCES/openssh-6.6p1-chroot-capabilities.patch b/SOURCES/openssh-6.6p1-chroot-capabilities.patch index 4fb3f21..b89ba25 100644 --- a/SOURCES/openssh-6.6p1-chroot-capabilities.patch +++ b/SOURCES/openssh-6.6p1-chroot-capabilities.patch @@ -69,7 +69,7 @@ diff -up openssh-6.6p1/session.c.chroot-cap openssh-6.6p1/session.c + /* drop suid soon, retain SYS_CHROOT capability */ + capng_clear(CAPNG_SELECT_BOTH); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT); -+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0) ++ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0) + logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid); +#endif #ifdef WITH_SELINUX I've not investigated the possible repercussions (security or otherwise) of this change beyond that it appears to resolve this regression. (I can't see the RedHat Solution to see what it shows as the solution)
*** Bug 1404835 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2029