Bug#1072221: secure_permission from user-group-modes.patch does not account for symlinks installed by systemd

Thu, 30 May 2024 09:15:18 -0700 

Package: openssh-client
Version: 1:9.7p1-5
Severity: normal
X-Debbugs-Cc: r...@debian.org

systemd services that use ssh (e.g., backup services launched by a
systemd timer) abort with:

    Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

After quickly tracing through the sources, I suspect that this is due to
Debian's user-group-modes.patch. It introduces a function
secure_permission and patches read_config_file_depth in readconf.c to
use secure_permission to check that a configuration file is not world
writeable. Unfortunately, the check

    if ((st->st_mode & 002) != 0)

in secure_permission does not account for symlinks. This means that the
check fails on the symbolic link

    512 lrwxrwxrwx 1 root root 55 2024-05-28 20:04 
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf -> 
/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

installed by systemd. As a result, services that use ssh and that are
run by systemd (e.g., backup services launched by a systemd timer) abort
with the above error message.

Removing the file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf fixes
the issue and allows systemd services that use ssh to run as before.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.38-11
ii  libedit2          3.1-20240517-1
ii  libfido2-1        1.14.0-1+b2
ii  libgssapi-krb5-2  1.20.1-6+b1
ii  libselinux1       3.5-2+b2
ii  libssl3t64        3.2.1-3
ii  passwd            1:4.13+dfsg1-4
ii  zlib1g            1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1

Versions of packages openssh-client suggests:
ii  keychain      2.8.5-4
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

-- 
|)|/  Ryan Kavanagh  | 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac | BD95 8F7B F8FC 4A11 C97A

Attachment: signature.asc
Description: PGP signature

Reply via email to