SFTP subsystem and umask

Hello,

I have noticed that the -u parameter to the sftp-server or internal-sftp subsystem is not working
correctly.  For openssh-5.6p1 I believe that the problem lies in this code, starting at line 1414 in sftp-server.c:
----------------------------------------------------------
case 'u':
        mask = (mode_t)strtonum(optarg, 0, 0777, &errmsg);
        if (errmsg != NULL)
                fatal("Invalid umask \"%s\": %s",
                    optarg, errmsg);
        (void)umask(mask);
        break;
----------------------------------------------------------

I think that adherence to strtonum() in this instance causes unexpected results due to "mask" being set to
decimal/base 10.

For example, say you had the following in sshd_config:
Subsystem       sftp    /usr/local/libexec/sftp-server -u 022

Then say you upload a file with permissions of 777 via sftp -p, you would expect the uploaded file to end up
with permission of 755, right?  In this case you get a file with permissions of 751 or -rwxr-x--x.  Why?

I believe it is because decimal 22 == octal 026.  Further compounding the problem is that sftp-server
doggedly insists upon accepting permissions from the sftp client before it applies umask.

To test, set the following in your sshd_config:
Subsystem       sftp    /your/path/to/sftp-server -u 18

Then kill -HUP sshd and create a file on the client with permissions of 777.  Upload the file via sftp -p and

Re: Interix Port

On 10/27/2010 11:19 AM, Markus Duft wrote:
> Hi!
> 
> Thanks for the suggestions. Attached is another version of the patch
> for the second review round ;)

ping. no comments on this? any chance to get this into the vcs?

markus

> 
> I tried to - as much as possible - use the same preprocessor syntax,
> and - again, as much as possible - use the log infrastructure. however
> the big fat INTERIX_PWD_WARNING must be written on stderr directly, as
> even with error(), it won't appear if the _server_ is not at least in
> verbose mode (one -v), which is not what i want. anything i missed there?
> 
> the rest is pretty much the same, but without buffer overflow, with
> added configure check for res_query - and thus a feature flag, etc ;)
> 
> (BTW: now subscribed to the list, so i should be able to reply on future
>  mails - sorry for breaking the thread ... )
> 
> Regards, and thanks,
> Markus
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list

Re: SFTP subsystem and umask

On Tue, 2 Nov 2010, Rob C wrote:

> Hello,
> 
> I have noticed that the -u parameter to the sftp-server or
> internal-sftp subsystem is not working correctly. For openssh-5.6p1 I
> believe that the problem lies in this code, starting at line 1414 in
> sftp-server.c:
>
> ----------------------------------------------------------
> case 'u':
>         mask = (mode_t)strtonum(optarg, 0, 0777, &errmsg);
>         if (errmsg != NULL)
>                 fatal("Invalid umask \"%s\": %s",
>                     optarg, errmsg);
>         (void)umask(mask);
>         break;
> ----------------------------------------------------------

Yep, that is completely broken. Please try this patch:

Index: sftp-server.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sftp-server.c,v
retrieving revision 1.91
diff -u -p -r1.91 sftp-server.c
--- sftp-server.c	13 Jan 2010 01:40:16 -0000	1.91
+++ sftp-server.c	3 Nov 2010 01:52:50 -0000
 <at>  <at>  -1349,8 +1349,7  <at>  <at>  sftp_server_main(int argc, char **argv, 
 	ssize_t len, olen, set_size;

Re: Interix Port

On Tue, 2 Nov 2010, Markus Duft wrote:

> On 10/27/2010 11:19 AM, Markus Duft wrote:
> > Hi!
> > 
> > Thanks for the suggestions. Attached is another version of the patch
> > for the second review round ;)
> 
> ping. no comments on this? any chance to get this into the vcs?

if you haven't already, please submit the patch as a bug on
https://bugzilla.mindrot.org/

> > 
> > I tried to - as much as possible - use the same preprocessor syntax,
> > and - again, as much as possible - use the log infrastructure. however
> > the big fat INTERIX_PWD_WARNING must be written on stderr directly, as
> > even with error(), it won't appear if the _server_ is not at least in
> > verbose mode (one -v), which is not what i want. anything i missed there?
> > 
> > the rest is pretty much the same, but without buffer overflow, with
> > added configure check for res_query - and thus a feature flag, etc ;)
> > 
> > (BTW: now subscribed to the list, so i should be able to reply on future
> >  mails - sorry for breaking the thread ... )
> > 
> > Regards, and thanks,
> > Markus
> > 
> > 

Re: Interix Port

On 11/03/2010 02:53 AM, Damien Miller wrote:
> On Tue, 2 Nov 2010, Markus Duft wrote:
> 
>> On 10/27/2010 11:19 AM, Markus Duft wrote:
>>> Hi!
>>>
>>> Thanks for the suggestions. Attached is another version of the patch
>>> for the second review round ;)
>>
>> ping. no comments on this? any chance to get this into the vcs?
> 
> if you haven't already, please submit the patch as a bug on
> https://bugzilla.mindrot.org/

ok, thanks - i will do so.

markus

> 
>>>
>>> I tried to - as much as possible - use the same preprocessor syntax,
>>> and - again, as much as possible - use the log infrastructure. however
>>> the big fat INTERIX_PWD_WARNING must be written on stderr directly, as
>>> even with error(), it won't appear if the _server_ is not at least in
>>> verbose mode (one -v), which is not what i want. anything i missed there?
>>>
>>> the rest is pretty much the same, but without buffer overflow, with
>>> added configure check for res_query - and thus a feature flag, etc ;)
>>>
>>> (BTW: now subscribed to the list, so i should be able to reply on future

Re: x509 cert chain

Thankyou all for the information.

I will hold off for a week or two before making a decision, as
although I have only a few client machines and servers here (it's just
a home network) I am actually thinking of using Samba4 to put in a
pseudo active directory domain to manage my windows client machines
using group policy. If I do that, I will need LDAP and a Kerberos box
so if getting openssh to work with x509 certs means patching it (on
all the servers, each time I update) it may be easier to just
centralise it and authenticate to the Kerberos with x509 then do
kerberos authentication to the ssh servers.

Thanks anyway, and I won't rule out just doing it on each box
individually using Roumen's patches, but I suspect I might go with the
kerberos solution.

All the best and thanks again for the help.

Paul

On 10/31/10, Roumen Petrov <openssh <at> roumenpetrov.info> wrote:
> Plau,
>
> Hostbased authentication require SSL Server in "Netscape Cert Type" for
> the server certificate.
> Otherwise user could update AllowedCertPurpose as default is sslserver.
>
> Please check for EnableSSHKeysign in user configuration.
>
> Roumen

Re: x509 cert chain

Paul Bradley wrote:
> if getting openssh to work with x509 certs means patching it (on
> all the servers, each time I update)

Suggest using a distribution on your servers that can take care of
this for you.

//Peter

Re: x509 cert chain

On Sun, 31 Oct 2010, Damien Miller wrote:

> On Sat, 30 Oct 2010, Peter Stuge wrote:
> 
> > Paul Bradley wrote:
> > > I believe the latest OpenSSH builds support x509 certificates
> > 
> > Not at all. OpenSSH uses it's own certificate format.
> > 
> > 
> > > I've found Roumen Petrovs patches and read some of his stuff but I
> > > find it a bit difficult to follow and in any case I'm not sure how
> > > relevant his implementation is to the mainline openssh 5.4/5.5
> > > x509.
> > 
> > There is no x509 in OpenSSH mainline. You need the patches if that is
> > what you want.
> 
> Yes, Roumen Petrov has maintained some for quite a few years:
> 
> http://www.roumenpetrov.info/openssh/

Also, FWIW I will probably try to implement some basic chaining in OpenSSH
certs at some point too.

-d

Explicit file permissions for sftp-server

Hello again,

Even with umask working (thanks very much!) I have found that I require
more control over file permissions with sftp-server/internal-sftp.

Please see the attached patch.  It adds yet another option to
sftp-server (-m) that will force file permissions.

I have a been running a patched version of 5.6p1 under RHEL4 in
production with no problems.  Please consider including this change or
something similar in the next release.

Please note that the attached patch is a diff from cvs version 1.92 of
sftp-server.c

Best regards and thanks again,

Rob Candland

--

-- 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev <at> mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

test request: SCO with setluid() (i686-pc-sco3.2v5.0.7, possibly others)

Hi all.

I am cleaning up (I hope) one of the nastier pieces of code in openssh:
do_setusercontext which is/was a twisty maze of platform-specific
nested ifdefs.  I made a series of changes[1] where I moved each
platform-specific piece into a portable-only file platform.c, which does
not need to be kept in sync with OpenBSD.

The changes did not (I hope!) change the semantics, but there's one
change I'd like to make that doesn't fit into the new scheme: the code
that calls setluid.  The code in question dates back to at least 2001 and
I suspect its current location is mere historical accident.  Based on
some cvs archaeology and looking at the survey[2] data, I believe this
only affects SCO platforms, possibly limited to *-pc-sco3.2v*.

If anyone is still in possesion of such a beast, could you please try
the patch below (against today's snapshot or newer) and see if it still
behaves as expected?

Thanks.

[1] http://anoncvs.mindrot.org/index.cgi/openssh/session.c?r1=1.398&r2=1.408

[2] plug: have you sent survey info for your platform?  if not, try "make
survey"!

Index: platform.c
===================================================================
RCS file: /var/cvs/openssh/platform.c,v
retrieving revision 1.14