Debian Bug report logs - #1072221
secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Ryan Kavanagh <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

Date: Thu, 30 May 2024 12:04:02 -0400

[Message part 1 (text/plain, inline)]

Package: openssh-client
Version: 1:9.7p1-5
Severity: normal
X-Debbugs-Cc: [email protected]

systemd services that use ssh (e.g., backup services launched by a
systemd timer) abort with:

    Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

After quickly tracing through the sources, I suspect that this is due to
Debian's user-group-modes.patch. It introduces a function
secure_permission and patches read_config_file_depth in readconf.c to
use secure_permission to check that a configuration file is not world
writeable. Unfortunately, the check

    if ((st->st_mode & 002) != 0)

in secure_permission does not account for symlinks. This means that the
check fails on the symbolic link

    512 lrwxrwxrwx 1 root root 55 2024-05-28 20:04 /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf -> /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

installed by systemd. As a result, services that use ssh and that are
run by systemd (e.g., backup services launched by a systemd timer) abort
with the above error message.

Removing the file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf fixes
the issue and allows systemd services that use ssh to run as before.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.38-11
ii  libedit2          3.1-20240517-1
ii  libfido2-1        1.14.0-1+b2
ii  libgssapi-krb5-2  1.20.1-6+b1
ii  libselinux1       3.5-2+b2
ii  libssl3t64        3.2.1-3
ii  passwd            1:4.13+dfsg1-4
ii  zlib1g            1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1

Versions of packages openssh-client suggests:
ii  keychain      2.8.5-4
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

-- 
|)|/  Ryan Kavanagh  | 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac | BD95 8F7B F8FC 4A11 C97A

[signature.asc (application/pgp-signature, inline)]

Message #10 received at [email protected] (full text, mbox, reply):

From: Colin Watson <[email protected]>

To: Ryan Kavanagh <[email protected]>, [email protected]

Subject: Re: Bug#1072221: secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

Date: Thu, 30 May 2024 18:05:37 +0100

On Thu, May 30, 2024 at 12:04:02PM -0400, Ryan Kavanagh wrote:
> systemd services that use ssh (e.g., backup services launched by a
> systemd timer) abort with:
> 
>     Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
> 
> After quickly tracing through the sources, I suspect that this is due to
> Debian's user-group-modes.patch. It introduces a function
> secure_permission and patches read_config_file_depth in readconf.c to
> use secure_permission to check that a configuration file is not world
> writeable. Unfortunately, the check
> 
>     if ((st->st_mode & 002) != 0)
> 
> in secure_permission does not account for symlinks.

I'm not sure that can be it, because as far as I can tell this is only
ever called on a stat buffer resulting from stat() or equivalent, not
lstat().  It shouldn't see the permissions on the symbolic link itself.

Are you in a position to trace any further?  A copy of one of the
relevant systemd units might be helpful information.

-- 
Colin Watson (he/him)                              [[email protected]]

Message #15 received at [email protected] (full text, mbox, reply):

From: Ryan Kavanagh <[email protected]>

To: Colin Watson <[email protected]>

Cc: [email protected]

Subject: Re: Bug#1072221: secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

Date: Thu, 30 May 2024 16:39:02 -0400

[Message part 1 (text/plain, inline)]

On Thu, May 30, 2024 at 06:05:37PM +0100, Colin Watson wrote:
> Are you in a position to trace any further?  A copy of one of the
> relevant systemd units might be helpful information.

Please see the attached ~/.config/systemd/user/[email protected]
file, which is based off of

    borgmatic: /usr/lib/systemd/system/borgmatic.service

The log messages from journalctl are:

May 30 14:50:34 koios borgmatic[246058]: INFO ssh://rsync.net/./home-koios: Creating archive
May 30 14:50:34 koios borgmatic[246058]: INFO Remote: Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
May 30 14:50:34 koios borgmatic[246058]: INFO Connection closed by remote host. Is borg working on the server?
May 30 14:50:34 koios borgmatic[246058]: CRITICAL ssh://rsync.net/./home-koios: Error running actions for repository
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Command 'borg create --exclude-from /tmp/tmpwrlf80y_ --compression auto,lzma --one-file-system --verbose --info ssh://rsync.net/./home-koios::{hostname}-{now} [snip]
May 30 14:50:34 koios borgmatic[246058]: CRITICAL /home/rak/.config/borgmatic/home.yaml: An error occurred
May 30 14:50:34 koios borgmatic[246058]: CRITICAL
May 30 14:50:34 koios borgmatic[246058]: CRITICAL summary:
May 30 14:50:34 koios borgmatic[246058]: WARNING /home/rak/.config/borgmatic/home.yaml: Configuration sections (like ___location:, storage:, retention:, consistency:, and hooks:) are deprecated and support will be removed from a future release. To prepare for this, move your options out of sections to the global scope.
May 30 14:50:34 koios borgmatic[246058]: WARNING /home/rak/.config/borgmatic/home.yaml: The repositories option now expects a list of key/value pairs. Lists of strings for this option are deprecated and support will be removed from a future release.
May 30 14:50:34 koios borgmatic[246058]: CRITICAL /home/rak/.config/borgmatic/home.yaml: An error occurred
May 30 14:50:34 koios borgmatic[246058]: CRITICAL ssh://rsync.net/./home-koios: Error running actions for repository
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Remote: Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Connection closed by remote host. Is borg working on the server?
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Command 'borg create --exclude-from /tmp/tmpwrlf80y_ --compression auto,lzma --one-file-system --verbose --info ssh://rsync.net/./home-koios::{hostname}-{now} [snip]
May 30 14:50:34 koios borgmatic[246058]: CRITICAL
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues

They were generated by:

    systemctl --user start [email protected]

A sanitized (but untested) version of my ~/.config/borgmatic/home.yaml,
referred to by [email protected], is also attached.

I am happy to test patches, etc, or provide additional debugging
information.

Best wishes,
Ryan

-- 
|)|/  Ryan Kavanagh  | 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac | BD95 8F7B F8FC 4A11 C97A

[[email protected] (text/plain, attachment)]

[home.yaml (application/yaml, attachment)]

Send a report that this bug log contains spam.