2179723 – scp of openssh acts differently between RHEL9.0 and RHEL8.7

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2179723 - scp of openssh acts differently between RHEL9.0 and RHEL8.7

Summary: scp of openssh acts differently between RHEL9.0 and RHEL8.7

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	9.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Dmitry Belyavskiy
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-20 03:44 UTC by Yanmin Liu
Modified:	2023-06-09 13:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-06-09 13:50:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-10311	0	None	None	None	2023-04-05 10:45:38 UTC
Red Hat Issue Tracker	RHELPLAN-152271	0	None	None	None	2023-03-20 03:45:35 UTC

Description Yanmin Liu 2023-03-20 03:44:21 UTC

Description of problem:

scp of openssh acts differently between RHEL9.0 and RHEL8.7. Is it a bug or
specification change on RHEL9.0 ? If it's specification change, any reasons for the change ?

Version-Release number of selected component (if applicable):

openssh-8.7p1-8.el9.x86_64

How reproducible:

Always occurs

Steps to Reproduce:
1. # useradd -m test
2. # mkdir -p /root/tmp
3. # chmod 1777 /root/tmp
4. # touch /root/tmp/test.txt
5. # chown test /root/tmp/test.txt
6. # { echo C0644 12 test.txt ; printf 'hello\ntest1\n'; printf \\000; } | scp -t /root/tmp

Actual results:

scp: /root/tmp/test.txt: Permission denied
scp: protocol error: expected control record

If "chmod 0777 /root/tmp", the result is same with RHEL8.7 and below.

Expected results:

On RHEL8.7 and below:
test.txt                                 100%   12    13.3KB/s   00:00    

Additional info:

Comment 2 Yanmin Liu 2023-03-30 06:43:25 UTC

This looks a kernel question.

Try this one on RHEL9:
  # echo 0 > /proc/sys/fs/protected_regular

The default value is 1 on RHEL9, and 0 on RHEL8.

The directory /root/tmp is created with sticky bit enabled, and it's affected by the parameter.

But, I don't make sense to use -t option of scp. Basically, it should be used in the sshd server side internally. The option is not written even in man scp. 

Also, please make sure that the default value is more secure configuration.

From the parameter definition in kernel-doc:

protected_regular
-----------------

This protection is similar to protected_fifos, but it
avoids writes to an attacker-controlled regular file, where a program
expected to create one.

When set to "0", writing to regular files is unrestricted.

When set to "1" don't allow O_CREAT open on regular files that we
don't own in world writable sticky directories, unless they are
owned by the owner of the directory.

When set to "2" it also applies to group writable sticky directories.

Comment 3 Dmitry Belyavskiy 2023-04-05 10:42:55 UTC

Sorry for the delayed reply.

The main change in OpenSSH between 8.x and 9.0 related to scp is switching to sftp protocol for scp transfer. I think the behavior change you see may be related to it. You can also check if specifying -O to enforce the SCP protocol fixes the issue for you. If it does, it's a sort of OpenSSH issue (though I'm not sure we need to fix it). Otherwise you should probably change the component for this issue.

I'm not aware if the protected_regular has different default value in RHEL 8.7 and 9.0.

Comment 4 Dmitry Belyavskiy 2023-06-09 13:50:38 UTC

Looks like it's not an OpenSSH issue. Closing.

Note You need to log in before you can comment on or make changes to this bug.