[Bug 3717] New: Stricter sshd absolute path requirement breaks xinetd

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 15 00:58:21 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3717

            Bug ID: 3717
           Summary: Stricter sshd absolute path requirement breaks xinetd
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Created attachment 3830
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3830&action=edit
sshd: Allow exec without absolute path in inetd mode

I originally saw this reported as https://bugs.debian.org/1078429,
although that bug indicates that it's also been reported by users of
several other distributions.  I couldn't find a record of anyone
reporting this upstream so far.

The commit that split sshd into listener and session binaries
(https://anongit.mindrot.org/openssh.git/commit/?id=03e3de416ed7c34faeb692967737be4a7bbe2eb5)
had the effect of breaking use with xinetd.  This is due to a
combination of two things.  Firstly, sshd no longer exempts inetd mode
from the absolute-path check:

-       if (rexeced_flag || inetd_flag)
-               rexec_flag = 0;
-       if (!test_flag && !do_dump_cfg && rexec_flag &&
!path_absolute(av[0]))
-               fatal("sshd re-exec requires execution with an absolute
path");
+       if (!test_flag && !do_dump_cfg && !path_absolute(av[0]))
+               fatal("sshd requires execution with an absolute path");

Secondly, xinetd apparently explicitly only passes the basename when
setting up argv[0]:

https://github.com/openSUSE/xinetd/blob/master/src/confparse.c#L92

   /*
    * Determine server name
    */
   server_name = strrchr( SC_SERVER(scp), '/' ) ;
   if ( server_name == NULL )
      server_name = SC_SERVER(scp) ;
   else
      server_name++ ;      /* skip the '/' */

   /*
    * Place it in argv[ 0 ]
    */
   SC_SERVER_ARGV(scp)[ 0 ] = new_string( server_name ) ;

I think what xinetd is doing here is perhaps a little silly, but it's
also quite widely deployed.  Would something like the attached patch
make sense?

Alternatively, I wonder whether this code is in the wrong place
following the listener/session split.  It would make a lot more sense
for sshd-session to be pedantic about how it's executed, instead of
sshd, especially given that the check was previously only applied in
re-exec mode.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list