auth.c:secure_filename() ownership test continues past home directory

[David Edelsohn]

	My colleagues and I believe we have found a problem in the
auth.c:secure_filename() code which causes it to be more aggressive than
intended.  We first noticed the problem in OpenSSH-2.9.9.

	secure_filename() comments that the loop walking up the directory
components stops if it is past the home directory.  However, the filename
argument to the function is canonicalized with realpath() while the home
directory provided by the password entry never is canonicalized.  If the
password entry home directory is not the canonial path (automounted, for
example), then the component walk does not terminate until it has reached
the root directory, which is past the home directory.  If any component is
not owned by root, then the security check fails and public key
authentication is not allowed.

	This appears to be a stricter ownership requirement than what was
intended in the code.  Would you please consider canonicalizing the
password entry home directory within the function using realpath() for
accurate comparison to the filename argument?

Thanks, David
===============================================================================
David Edelsohn                                      T.J. Watson Research Center
dje at watson.ibm.com                                  P.O. Box 218
+1 914 945 4364 (TL 862)                            Yorktown Heights, NY 10598