[openssh-commits] [openssh] 04/04: upstream: Check for and warn about StrictModes permission problems. ok tb@
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Jan 23 15:49:25 AEDT 2020
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 7e1323102b1b04eef391b01e180710a2d408a7ab
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date: Thu Jan 23 03:42:41 2020 +0000
upstream: Check for and warn about StrictModes permission problems. ok tb@
OpenBSD-Regress-ID: 4841704ccdee50ee7efc6035bc686695c6ac2991
---
regress/test-exec.sh | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index b448192e..c26e47f7 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.70 2020/01/21 08:06:27 djm Exp $
+# $OpenBSD: test-exec.sh,v 1.71 2020/01/23 03:42:41 dtucker Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -444,6 +444,29 @@ EOF
# be abused to locally escalate privileges.
if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
echo "StrictModes no" >> $OBJ/sshd_config
+else
+ # check and warn if excessive permissions are likely to cause failures.
+ unsafe=""
+ dir="${OBJ}"
+ while test ${dir} != "/"; do
+ perms=`ls -ld ${dir}`
+ case "${perms}" in
+ ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;;
+ esac
+ dir=`dirname ${dir}`
+ done
+ if ! test -z "${unsafe}"; then
+ cat <<EOD
+
+WARNING: Unsafe (group or world writable) directory permissions found:
+${unsafe}
+
+These could be abused to locally escalate privileges. If you are
+sure that this is not a risk (eg there are no other users), you can
+bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1
+
+EOD
+ fi
fi
if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list