Debian Bug report logs - #1072221
secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

version graph

Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <[email protected]>; Source for openssh-client is src:openssh (PTS, buildd, popcon).

Reported by: Ryan Kavanagh <[email protected]>

Date: Thu, 30 May 2024 16:15:01 UTC

Severity: normal

Found in version openssh/1:9.7p1-5

Full log

Message #5 received at [email protected] (full text, mbox, reply):

Received: (at submit) by bugs.debian.org; 30 May 2024 16:10:47 +0000
From [email protected] Thu May 30 16:10:47 2024
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
	(2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-118.2 required=4.0 tests=BAYES_00,
	BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE,
	PGPSIGNATURE,SPF_HELO_PASS,SPF_NONE,T_SCC_BODY_TEXT_LINE,
	USER_IN_DKIM_WELCOMELIST,USER_IN_DKIM_WHITELIST,WORD_WITHOUT_VOWELS
	autolearn=ham autolearn_force=no
	version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 16; hammy, 150; neutral, 162; spammy,
	0. spammytokens: hammytokens:0.000-+--XDebbugsCc,
	0.000-+--X-Debbugs-Cc, 0.000-+--trixie, 0.000-+--sk:taint_o,
	0.000-+--sk:TAINT_O
Return-path: <[email protected]>
Received: from hades.rak.ac ([159.203.58.186]:9717)
	by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA512__AES_256_GCM:256)
	(Exim 4.94.2)
	(envelope-from <[email protected]>)
	id 1sCiMX-00H2pS-N2
	for [email protected]; Thu, 30 May 2024 16:10:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=debian.org; s=hades.rak.user;
	t=1717085044;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:  openpgp:openpgp;
	bh=Yd0cM0Yoy+gDI4lfVBlr3RfXmNmUBkV6+p4rCYSjlfk=;
	b=S6yW46xPNpPTQ+5Cp22mD1uXaAiiPrQ8MnQ7FbwKHkvxb1a/n2FEh+i/bot38pamK4o484
	RzHT9PX58fc5Mo5uHA7i4YlCyWXJlJx+c0+f0/pjgBbW4gi31LCdviRPy7bfhmmyTqZvSg
	xrDvtIehXrL80mRuloVXKqbH8Kqc2EPvu5+IKCoHWp2kl8feBWoK6gXJGcauY1oTlGzldv
	EJJWYtt2YRLNsOLyw9KjUIjyKC+e4mc/1pPhS+QAmSsO/4FQ2xCkhpvfL+7yHJX7QhkBkQ
	b/N/DaIl2gtsC9rPzLLC9VcC1WzNYPnt+hDvEJdvIYNKWdnA9DXU7GfaFQ7W7w==
Received: 
	by hades.rak.ac (OpenSMTPD) with ESMTPSA id 4a48c9cc (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) auth=yes user=koios
	for <[email protected]>;
	Thu, 30 May 2024 12:04:03 -0400 (EDT)
Received: from localhost (rak.ac [local])
	by rak.ac (OpenSMTPD) with ESMTPA id 2c1d41de
	for <[email protected]>;
	Thu, 30 May 2024 16:04:03 +0000 (UTC)
Date: Thu, 30 May 2024 12:04:02 -0400
From: Ryan Kavanagh <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: secure_permission from user-group-modes.patch does not account for
 symlinks installed by systemd
Message-ID: <omzkjq7hmzwjdxb3o7j6rncrdg5laqep24d4mceiw5ecah252m@dvcz7pq6cg3s>
X-Reportbug-Version: 13.0.1
OpenPGP: id=4E469519ED677734268FBD958F7BF8FC4A11C97A;
 url=https://rak.ac/contact/4E469519ED677734268FBD958F7BF8FC4A11C97A.asc;
 preference=sign
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="xvuc3juajbrftgz7"
Content-Disposition: inline
X-Greylist: delayed 394 seconds by postgrey-1.36 at buxtehude; Thu, 30 May 2024 16:10:44 UTC
Delivered-To: [email protected]

[Message part 1 (text/plain, inline)]
Package: openssh-client
Version: 1:9.7p1-5
Severity: normal
X-Debbugs-Cc: [email protected]

systemd services that use ssh (e.g., backup services launched by a
systemd timer) abort with:

    Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

After quickly tracing through the sources, I suspect that this is due to
Debian's user-group-modes.patch. It introduces a function
secure_permission and patches read_config_file_depth in readconf.c to
use secure_permission to check that a configuration file is not world
writeable. Unfortunately, the check

    if ((st->st_mode & 002) != 0)

in secure_permission does not account for symlinks. This means that the
check fails on the symbolic link

    512 lrwxrwxrwx 1 root root 55 2024-05-28 20:04 /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf -> /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

installed by systemd. As a result, services that use ssh and that are
run by systemd (e.g., backup services launched by a systemd timer) abort
with the above error message.

Removing the file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf fixes
the issue and allows systemd services that use ssh to run as before.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.38-11
ii  libedit2          3.1-20240517-1
ii  libfido2-1        1.14.0-1+b2
ii  libgssapi-krb5-2  1.20.1-6+b1
ii  libselinux1       3.5-2+b2
ii  libssl3t64        3.2.1-3
ii  passwd            1:4.13+dfsg1-4
ii  zlib1g            1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1

Versions of packages openssh-client suggests:
ii  keychain      2.8.5-4
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

-- 
|)|/  Ryan Kavanagh  | 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac | BD95 8F7B F8FC 4A11 C97A

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 11:48:47 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.