Solaris 2.5.1 dirname() bug in libgen.a affects OpenSSH2.9.9p2 auth.c

Dan Astoorian djast at cs.toronto.edu
Wed Oct 17 05:36:42 EST 2001 

I've discovered a problem with OpenSSH 2.9.9p2 under Solaris 2.5.1 .

In auth.c, secure_filename() walks upwards toward the user's home
directory or the filesystem root, verifying that no directories along
the way are group or world writable.

Solaris 2.5.1's dirname() function has a bug where dirname("/.ssh")
returns an empty string instead of "/".

This causes secure_filename() to try to stat(""), fail, and report
"bad ownership or modes for directory ".

I discovered this when upgrading from 2.3.0p1 to 2.9.9p2: root was
unable to use RSA authentication because of it.

The bug is in Solaris 2.5.1, not OpenSSH, but it would be helpful if
OpenSSH could work around this bug.  As far as I've been able to
determine, no patch is available for Solaris 2.5.1.

The change I made to OpenSSH 2.9.9p2's auth.c to work around the problem
is attached.

Incidentally: it may be worth considering modifying the code to compare
the device/inode numbers of the directories, rather than the pathnames,
when determining whether the home directory has been reached.  If
pw->pw_dir contains a nonstandard construction (e.g., symbolic links,
extra slashes within the path, or something else that might be changed
by realpath()), the code might continue to walk upwards past the user's
home directory.

Thanks for your attention,

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican
-------------- next part --------------
===================================================================
*** /cs/3/src/openssh-2.9.9p2/auth.c	2001/10/16 18:24:09	1.1
--- /cs/3/src/openssh-2.9.9p2/auth.c	2001/10/16 19:23:33
***************
*** 388,393 ****
--- 388,395 ----
  			snprintf(err, errlen, "dirname() failed");
  			return -1;
  		}
+ 		/* work around Solaris 2.5.1 libgen bug */
+ 		if (cp[0] == '\0') cp = "/";
  		strlcpy(buf, cp, sizeof(buf));
  
  		debug3("secure_filename: checking '%s'", buf);

More information about the openssh-unix-dev mailing list