Debian Bug report logs - #1072221
secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

version graph

Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <[email protected]>; Source for openssh-client is src:openssh (PTS, buildd, popcon).

Reported by: Ryan Kavanagh <[email protected]>

Date: Thu, 30 May 2024 16:15:01 UTC

Severity: normal

Found in version openssh/1:9.7p1-5

Full log

Message #15 received at [email protected] (full text, mbox, reply):

Received: (at 1072221) by bugs.debian.org; 30 May 2024 20:52:28 +0000
From [email protected] Thu May 30 20:52:28 2024
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
	(2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-109.2 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,
	FROMDEVELOPER,HAS_BUG_NUMBER,SPF_HELO_PASS,SPF_NONE,
	T_SCC_BODY_TEXT_LINE,USER_IN_DKIM_WELCOMELIST,USER_IN_DKIM_WHITELIST
	autolearn=ham autolearn_force=no
	version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 43; hammy, 150; neutral, 297; spammy,
	0. spammytokens: hammytokens:0.000-+--systemctl, 0.000-+--tmpfs,
	0.000-+--journalctl, 0.000-+--execstart, 0.000-+--ExecStart
Return-path: <[email protected]>
Received: from hades.rak.ac ([159.203.58.186]:30396)
	by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA512__AES_256_GCM:256)
	(Exim 4.94.2)
	(envelope-from <[email protected]>)
	id 1sCml7-0000bp-89
	for [email protected]; Thu, 30 May 2024 20:52:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=debian.org; s=hades.rak.user;
	t=1717101944;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references:openpgp:openpgp;
	bh=n3CyJMv2bLJHgX4KFcxVuWXPy3wk5Sno786P+oEGNXo=;
	b=hqSIwH4ugoHNqU9CzqHQf//NO3usWXz+kcpjT8w+Y0fLgQAYJ3CgxGZErwHn8WJvStvIdK
	Txl3nGpcxFhfNcd/JGqsM4FM1bCz+dLf3448Qu3LHyE32cRrlrCRVMMyzSRgHn6k2MYxYW
	Y7zomNwyrsKXFOSpRX67k7g8vE3GnjEXy8Mzqh6gtK84mhLNFWomJ37Rxbeq/qJCo1uC2P
	wynwR3bXdAqc61LjZED0QmGpcGV4vjQkkTm/uaRgpqoCc+hYa2a9ELaP7WnqUjsb3f322y
	ei3aaAnN/OjPwdcxokMefPa3FRdl32427xt7qIt/FsrGIslJVyhaePCIjdrqdQ==
Received: 
	by hades.rak.ac (OpenSMTPD) with ESMTPSA id d9e310ef (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) auth=yes user=koios;
	Thu, 30 May 2024 16:45:43 -0400 (EDT)
Received: from localhost (rak.ac [local])
	by rak.ac (OpenSMTPD) with ESMTPA id ccea7015;
	Thu, 30 May 2024 20:39:02 +0000 (UTC)
Date: Thu, 30 May 2024 16:39:02 -0400
From: Ryan Kavanagh <[email protected]>
To: Colin Watson <[email protected]>
Cc: [email protected]
Subject: Re: Bug#1072221: secure_permission from user-group-modes.patch does
 not account for symlinks installed by systemd
Message-ID: <kkyfpqm4x4smo57xkv42f5r6e4uuhuyr4dsqqomd2feyhire63@pfvf4x6k7zcm>
OpenPGP: id=4E469519ED677734268FBD958F7BF8FC4A11C97A;
 url=https://rak.ac/contact/4E469519ED677734268FBD958F7BF8FC4A11C97A.asc;
 preference=sign
References: <omzkjq7hmzwjdxb3o7j6rncrdg5laqep24d4mceiw5ecah252m@dvcz7pq6cg3s>
 <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="3nhvzxv2ncpqa6pu"
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Greylist: delayed 397 seconds by postgrey-1.36 at buxtehude; Thu, 30 May 2024 20:52:24 UTC

[Message part 1 (text/plain, inline)]
On Thu, May 30, 2024 at 06:05:37PM +0100, Colin Watson wrote:
> Are you in a position to trace any further?  A copy of one of the
> relevant systemd units might be helpful information.

Please see the attached ~/.config/systemd/user/[email protected]
file, which is based off of

    borgmatic: /usr/lib/systemd/system/borgmatic.service

The log messages from journalctl are:

May 30 14:50:34 koios borgmatic[246058]: INFO ssh://rsync.net/./home-koios: Creating archive
May 30 14:50:34 koios borgmatic[246058]: INFO Remote: Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
May 30 14:50:34 koios borgmatic[246058]: INFO Connection closed by remote host. Is borg working on the server?
May 30 14:50:34 koios borgmatic[246058]: CRITICAL ssh://rsync.net/./home-koios: Error running actions for repository
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Command 'borg create --exclude-from /tmp/tmpwrlf80y_ --compression auto,lzma --one-file-system --verbose --info ssh://rsync.net/./home-koios::{hostname}-{now} [snip]
May 30 14:50:34 koios borgmatic[246058]: CRITICAL /home/rak/.config/borgmatic/home.yaml: An error occurred
May 30 14:50:34 koios borgmatic[246058]: CRITICAL
May 30 14:50:34 koios borgmatic[246058]: CRITICAL summary:
May 30 14:50:34 koios borgmatic[246058]: WARNING /home/rak/.config/borgmatic/home.yaml: Configuration sections (like ___location:, storage:, retention:, consistency:, and hooks:) are deprecated and support will be removed from a future release. To prepare for this, move your options out of sections to the global scope.
May 30 14:50:34 koios borgmatic[246058]: WARNING /home/rak/.config/borgmatic/home.yaml: The repositories option now expects a list of key/value pairs. Lists of strings for this option are deprecated and support will be removed from a future release.
May 30 14:50:34 koios borgmatic[246058]: CRITICAL /home/rak/.config/borgmatic/home.yaml: An error occurred
May 30 14:50:34 koios borgmatic[246058]: CRITICAL ssh://rsync.net/./home-koios: Error running actions for repository
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Remote: Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Connection closed by remote host. Is borg working on the server?
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Command 'borg create --exclude-from /tmp/tmpwrlf80y_ --compression auto,lzma --one-file-system --verbose --info ssh://rsync.net/./home-koios::{hostname}-{now} [snip]
May 30 14:50:34 koios borgmatic[246058]: CRITICAL
May 30 14:50:34 koios borgmatic[246058]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues

They were generated by:

    systemctl --user start [email protected]

A sanitized (but untested) version of my ~/.config/borgmatic/home.yaml,
referred to by [email protected], is also attached.

I am happy to test patches, etc, or provide additional debugging
information.

Best wishes,
Ryan

-- 
|)|/  Ryan Kavanagh  | 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac | BD95 8F7B F8FC 4A11 C97A

[[email protected] (text/plain, attachment)]
[home.yaml (application/yaml, attachment)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 12:19:48 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.