Bug#581697: allows group-writable files owned by random groups
On Sat, May 15, 2010 at 11:58:50AM -0400, Joey Hess wrote: Colin Watson wrote: Are you sure you aren't a member of group games? I am not a member of games, The games user, though is, via /etc/passwd. Not via /etc/group. j...@gnu:~getent group games games:x:60: j...@gnu:~getent passwd games games:x:5:60:games:/usr/games:/bin/sh j...@gnu:~sudo -u games id uid=5(games) gid=60(games) groups=60(games) Shouldn't the passwd group membership also be checked? Ah, fair point, I was only checking supplementary groups. I'll fix that, thanks. A zero-member group, or any random group containing only the user, should clearly be fine in my book because the ownership of ~/.ssh/config by that group doesn't permit any other user to write to the file. I think that zero-member groups are typically used by sgid binaries, so assuming noone else can access them is not entirely safe. You've persuaded me. The next upload of openssh will only permit groups with exactly one member. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581697: allows group-writable files owned by random groups
On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote: I don't really understand the point of checking who can write to the file but assuming it's general paranoia, I think you weakened it too far with the user group patch. -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops Bad owner or permissions on /home/joey/.ssh/config So, it looks like any group with 0 or 1 member is allowed to own file file, even if the user is not a member. (Here the scanner group has 2 members.) Are you sure you aren't a member of group games? $ getent group games games:x:60:cjwatson $ getent group ssl-cert ssl-cert:x:108:postgres $ sudo chgrp games ~/.ssh/config $ ssh localhost echo oops oops $ sudo chgrp ssl-cert ~/.ssh/config $ ssh localhost echo oops Bad owner or permissions on /home/cjwatson/.ssh/config A zero-member group, or any random group containing only the user, should clearly be fine in my book because the ownership of ~/.ssh/config by that group doesn't permit any other user to write to the file. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581697: allows group-writable files owned by random groups
Colin Watson wrote: On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote: I don't really understand the point of checking who can write to the file but assuming it's general paranoia, I think you weakened it too far with the user group patch. -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops Bad owner or permissions on /home/joey/.ssh/config So, it looks like any group with 0 or 1 member is allowed to own file file, even if the user is not a member. (Here the scanner group has 2 members.) Are you sure you aren't a member of group games? I am not a member of games, The games user, though is, via /etc/passwd. Not via /etc/group. j...@gnu:~getent group games games:x:60: j...@gnu:~getent passwd games games:x:5:60:games:/usr/games:/bin/sh j...@gnu:~sudo -u games id uid=5(games) gid=60(games) groups=60(games) Shouldn't the passwd group membership also be checked? A zero-member group, or any random group containing only the user, should clearly be fine in my book because the ownership of ~/.ssh/config by that group doesn't permit any other user to write to the file. I think that zero-member groups are typically used by sgid binaries, so assuming noone else can access them is not entirely safe. -- see shy jo signature.asc Description: Digital signature
Bug#581697: allows group-writable files owned by random groups
Package: openssh-client Version: 1:5.5p1-3 Severity: normal I don't really understand the point of checking who can write to the file but assuming it's general paranoia, I think you weakened it too far with the user group patch. -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops oops -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config j...@gnu:~/.sshssh localhost echo oops Bad owner or permissions on /home/joey/.ssh/config So, it looks like any group with 0 or 1 member is allowed to own file file, even if the user is not a member. (Here the scanner group has 2 members.) -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.112add and remove users and groups ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii dpkg1.15.7.1 Debian package management system ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libedit22.11-20080614-1 BSD editline and history libraries ii libgssapi-krb5-21.8.1+dfsg-2 MIT Kerberos runtime libraries - k ii libssl0.9.8 0.9.8n-1 SSL shared libraries ii passwd 1:4.1.4.2-1 change and administer password and ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-client recommends: ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-client suggests: pn keychain none (no description available) pn libpam-sshnone (no description available) pn ssh-askpass none (no description available) -- no debconf information -- see shy jo signature.asc Description: Digital signature
