a trouble about filename authentication in 2.9.9p2

JINMEI Tatuya / 神明達哉 jinmei at isl.rdc.toshiba.co.jp
Wed Oct 3 15:38:00 EST 2001 

Hello,

After upgrading OpenSSH to 2.9.9p2, I've found some troubles on public
key authentication with an sshd working at Solaris 2.5.1 machine.

The server failed to validate the user's path in
auth.c:secure_filename().  There were actually two reasons for the
trouble:

1. the "realpath" of pw->pw_dir (that realpath() would return) was
   different from pw->pw_dir itself.  Thus, comparing the directory
   name to each directory in the for loop of the function never
   succeeded.
2. Our Solaris box had its own dirname(), which returned an empty
   string for the root directory.  So the stat() call in the for loop
   failed for the root directory.

I've attached a patch to fix the problem 1 to this message.  For the
problem 2, we're using a quick patch to check the empty string in
secure_filename(), but I'm not sure if this is the correct fix.  We
might rather use the shared dirname() in openbsd-compat/dirname.c.  So
I've not included the quick hack for now.

I'd apologize in advance if this is a well-known issue and/or has
already been fixed.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei at isl.rdc.toshiba.co.jp

p.s. I don't subscribe to the list, so if anyone of you need further
information or questions on this issue, please include me in the
response explicitly.  Thanks.

*** auth.c.orig	Wed Oct  3 14:15:47 2001
--- auth.c	Wed Oct  3 14:14:43 2001
***************
*** 363,369 ****
      char *err, size_t errlen)
  {
  	uid_t uid = pw->pw_uid;
! 	char buf[MAXPATHLEN];
  	char *cp;
  	struct stat st;
  
--- 363,369 ----
      char *err, size_t errlen)
  {
  	uid_t uid = pw->pw_uid;
! 	char buf[MAXPATHLEN], pwbuf[MAXPATHLEN];
  	char *cp;
  	struct stat st;
  
***************
*** 372,377 ****
--- 372,382 ----
  		    strerror(errno));
  		return -1;
  	}
+ 	if (realpath(pw->pw_dir, pwbuf) == NULL) {
+ 		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
+ 		    strerror(errno));
+ 		return -1;
+ 	}
  
  	/* check the open file to avoid races */
  	if (fstat(fileno(f), &st) < 0 ||
***************
*** 400,406 ****
  		}
  
  		/* If are passed the homedir then we can stop */
! 		if (strcmp(pw->pw_dir, buf) == 0) {
  			debug3("secure_filename: terminating check at '%s'",
  			    buf);
  			break;
--- 405,411 ----
  		}
  
  		/* If are passed the homedir then we can stop */
! 		if (strcmp(pwbuf, buf) == 0) {
  			debug3("secure_filename: terminating check at '%s'",
  			    buf);
  			break;

More information about the openssh-unix-dev mailing list