Call for testing: OpenSSH-6.2
Darren Tucker
dtucker at zip.com.au
Mon Mar 11 15:14:32 EST 2013
On Mon, Mar 11, 2013 at 01:28:20PM +1100, Darren Tucker wrote:
> Unsafe AuthorizedKeysCommand: bad ownership or modes for directory /var/run
>
> where /var/run and /var are owned by "bin" (uid 2)
Possible solution (note you'll need to run "autoreconf" to rebuild
configure then run ./configure again).
djm, tim: wanted for release or not?
Index: auth.c
===================================================================
RCS file: /openssh_cvs/openssh/auth.c,v
retrieving revision 1.156
diff -u -r1.156 auth.c
--- auth.c 12 Feb 2013 00:02:28 -0000 1.156
+++ auth.c 11 Mar 2013 02:26:27 -0000
@@ -448,7 +448,7 @@
snprintf(err, errlen, "%s is not a regular file", buf);
return -1;
}
- if ((stp->st_uid != 0 && stp->st_uid != uid) ||
+ if ((!platform_system_uid(stp->st_uid) && stp->st_uid != uid) ||
(stp->st_mode & 022) != 0) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
@@ -464,7 +464,7 @@
strlcpy(buf, cp, sizeof(buf));
if (stat(buf, &st) < 0 ||
- (st.st_uid != 0 && st.st_uid != uid) ||
+ (!platform_system_uid(st.st_uid) && st.st_uid != uid) ||
(st.st_mode & 022) != 0) {
snprintf(err, errlen,
"bad ownership or modes for directory %s", buf);
Index: configure.ac
===================================================================
RCS file: /openssh_cvs/openssh/configure.ac,v
retrieving revision 1.513
diff -u -r1.513 configure.ac
--- configure.ac 8 Mar 2013 01:14:23 -0000 1.513
+++ configure.ac 11 Mar 2013 02:26:27 -0000
@@ -480,6 +480,7 @@
AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
[AIX 5.2 and 5.3 (and presumably newer) require this])
AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
+ AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)])
;;
*-*-cygwin*)
check_for_libcrypt_later=1
@@ -565,6 +566,7 @@
AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
[String used in /etc/passwd to denote locked account])
AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
+ AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)])
maildir="/var/mail"
LIBS="$LIBS -lsec"
AC_CHECK_LIB([xnet], [t_error], ,
Index: platform.c
===================================================================
RCS file: /openssh_cvs/openssh/platform.c,v
retrieving revision 1.18
diff -u -r1.18 platform.c
--- platform.c 11 Jan 2011 06:02:25 -0000 1.18
+++ platform.c 11 Mar 2013 02:26:27 -0000
@@ -194,3 +194,15 @@
return NULL;
#endif
}
+
+int
+platform_system_uid(uid_t uid)
+{
+ if (uid == 0)
+ return 1;
+#ifdef PLATFORM_SYSTEM_UID
+ if (uid == PLATFORM_SYSTEM_UID)
+ return 1;
+#endif
+ return 0;
+}
Index: platform.h
===================================================================
RCS file: /openssh_cvs/openssh/platform.h,v
retrieving revision 1.7
diff -u -r1.7 platform.h
--- platform.h 5 Nov 2010 03:47:01 -0000 1.7
+++ platform.h 11 Mar 2013 02:26:27 -0000
@@ -29,5 +29,4 @@
void platform_setusercontext_post_groups(struct passwd *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
-
-
+int platform_system_uid(uid_t);
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list