Your message dated Thu, 28 Nov 2024 18:21:16 +0000 with message-id <[email protected]> and subject line Bug#1085868: Removed package(s) from unstable has caused the Debian Bug report #700053, regarding monkeysphere-authentication wrongly bypass filesystem ACLs when reading ~/.ssh/* to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 700053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700053 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: monkeysphere Version: 0.35-2 Severity: normal monkeysphere-authentication reads ~/.ssh/* not as that user but as root. That commonly works because root ignores filesystem ACLs, but fails e.g. when $HOME is served with NFS exported with default root_squash option. To work properly in environments where ACLs apply also to root, monkeysphere needs to switch user before reading ~/.ssh/*, as that dir is private by default. Dkg wondered on irc if not OpenSSH "cheated" as well, to only switch user after authentication. But running OpenSSH with DEBUG enabled reveals that each client connection - before authentication completes - cuase a log entry like this: Feb 7 20:15:39 xayide sshd[32641]: debug1: temporarily_use_uid: 1000/1000 (e=0/0) Attached are proposed patches to fix this issue. * Perhaps better to switch user only once per account, running all checks as one single shell script? * Perhaps better to exec checkperms as account user? Currently works only with MONKEYSPHERE_STRICT_MODES=false which is arguably more risky than executing the relatively large checkperms perl script. - Jonas--- a/common +++ b/common @@ -118,6 +118,60 @@ esac } +# check if private file exists and has a size greater than zero +su_user_test_nonempty() { + # Simple filesystems let superuser bypass ACLs, but others like nfs + # and afs respects privacy and need to switch user to gain access to + # e.g. ssh config files which are private by default. + + user="$1" + shift + + case $(id -un) in + # if same user, check directly + "$user") + test -s "$1" + ;; + + # if root, su check as user + 'root') + su "$user" -c "test -s '$1'" + ;; + + # otherwise, fail + *) + log error "cannot check file as different non-privileged user." + ;; + esac +} + +# read private file +su_user_cat() { + # Simple filesystems let superuser bypass ACLs, but others like nfs + # and afs respects privacy and need to switch user to gain access to + # e.g. ssh config files which are private by default. + + user="$1" + shift + + case $(id -un) in + # if same user, cat directly + "$user") + cat -- "$1" + ;; + + # if root, su cat as user + 'root') + su "$user" -c "cat -- '$1'" + ;; + + # otherwise, fail + *) + log error "cannot read file as different non-privileged user." + ;; + esac +} + # cut out all comments(#) and blank lines from standard input meat() { grep -v -e "^[[:space:]]*#" -e '^$' "$1"--- a/ma/update_users +++ b/ma/update_users @@ -95,12 +95,12 @@ rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") if [ "$rawAuthorizedKeys" != 'none' ] ; then log debug "checking for raw authorized_keys..." - if [ -s "$rawAuthorizedKeys" ] ; then + if su_user_test_nonempty "$uname" "$rawAuthorizedKeys" ] ; then # check permissions on the authorized_keys file path if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then log verbose "adding raw authorized_keys..." - cat "$rawAuthorizedKeys" >> "$tmpAuthorizedKeys" + su_user_cat "$uname" "$rawAuthorizedKeys" >> "$tmpAuthorizedKeys" else log debug "not adding raw authorized_keys."
--- End Message ---
--- Begin Message ---Version: 0.43-3.1+rm Dear submitter, as the package monkeysphere has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1085868 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
