[Bug 3717] New: Stricter sshd absolute path requirement breaks xinetd
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Aug 15 00:58:21 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3717
Bug ID: 3717
Summary: Stricter sshd absolute path requirement breaks xinetd
Product: Portable OpenSSH
Version: 9.8p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
Created attachment 3830
--> https://bugzilla.mindrot.org/attachment.cgi?id=3830&action=edit
sshd: Allow exec without absolute path in inetd mode
I originally saw this reported as https://bugs.debian.org/1078429,
although that bug indicates that it's also been reported by users of
several other distributions. I couldn't find a record of anyone
reporting this upstream so far.
The commit that split sshd into listener and session binaries
(https://anongit.mindrot.org/openssh.git/commit/?id=03e3de416ed7c34faeb692967737be4a7bbe2eb5)
had the effect of breaking use with xinetd. This is due to a
combination of two things. Firstly, sshd no longer exempts inetd mode
from the absolute-path check:
- if (rexeced_flag || inetd_flag)
- rexec_flag = 0;
- if (!test_flag && !do_dump_cfg && rexec_flag &&
!path_absolute(av[0]))
- fatal("sshd re-exec requires execution with an absolute
path");
+ if (!test_flag && !do_dump_cfg && !path_absolute(av[0]))
+ fatal("sshd requires execution with an absolute path");
Secondly, xinetd apparently explicitly only passes the basename when
setting up argv[0]:
https://github.com/openSUSE/xinetd/blob/master/src/confparse.c#L92
/*
* Determine server name
*/
server_name = strrchr( SC_SERVER(scp), '/' ) ;
if ( server_name == NULL )
server_name = SC_SERVER(scp) ;
else
server_name++ ; /* skip the '/' */
/*
* Place it in argv[ 0 ]
*/
SC_SERVER_ARGV(scp)[ 0 ] = new_string( server_name ) ;
I think what xinetd is doing here is perhaps a little silly, but it's
also quite widely deployed. Would something like the attached patch
make sense?
Alternatively, I wonder whether this code is in the wrong place
following the listener/session split. It would make a lot more sense
for sshd-session to be pedantic about how it's executed, instead of
sshd, especially given that the check was previously only applied in
re-exec mode.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list