rmischke-dlr opened a new issue, #282: URL: https://github.com/apache/mina-sshd/issues/282
### Version 2.9.2 ### Bug description For SSHD 2.9.2, new code was added to restrict the host key file's permissions to the current user. The relevant code for Windows compares existing ACLs to the new file's owner, and only keeps them if the check in https://github.com/apache/mina-sshd/blob/1ccde6cdfe72adf13ef9dd49138434a74aabd784/sshd-common/src/main/java/org/apache/sshd/server/keyprovider/AbstractGeneratorHostKeyProvider.java#L304 is `true`. The expectation seems to be that the new file's UserPrincipal ("owner") always has a matching `ALLOW` ACL, so the owner would be the only one left with ALLOW permissions. However, we have encountered systems where this check is always `false`, resulting in a host key file that can not be written to, and only deleted with admin permissions. We have written a small test program to compare the ACLs present on these systems; output will be attached below. ### Actual behavior The code results in a host key file that has no permissions when viewed in Windows Explorer's file properties, and can only be deleted with admin permissions. ### Expected behavior The code results in a host key file that is read/writable for the current user. ### Relevant log output ```Shell Example of two FAILING Windows 10 systems' ACLs; user names are placeholders, and the boolean output is the result of owner.equals(acl.principal()): --- Owner: DLR\user_a (User) ACL: Principal: VORDEFINIERT\Administratoren (Alias) Type: ALLOW Permissions: [EXECUTE, WRITE_ACL, READ_ATTRIBUTES, SYNCHRONIZE, WRITE_DATA, READ_ACL, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, DELETE, WRITE_NAMED_ATTRS, DELETE_CHILD, APPEND_DATA, READ_DATA, WRITE_OWNER] Owner~Principal: false ACL: Principal: NT-AUTORITÄT\SYSTEM (Well-known group) Type: ALLOW Permissions: [EXECUTE, WRITE_ACL, READ_ATTRIBUTES, SYNCHRONIZE, WRITE_DATA, READ_ACL, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, DELETE, WRITE_NAMED_ATTRS, DELETE_CHILD, APPEND_DATA, READ_DATA, WRITE_OWNER] Owner~Principal: false ACL: Principal: VORDEFINIERT\Benutzer (Alias) Type: ALLOW Permissions: [EXECUTE, READ_ATTRIBUTES, SYNCHRONIZE, READ_ACL, READ_NAMED_ATTRS, READ_DATA] Owner~Principal: false ACL: Principal: NT-AUTORITÄT\Authentifizierte Benutzer (Well-known group) Type: ALLOW Permissions: [WRITE_NAMED_ATTRS, EXECUTE, READ_ATTRIBUTES, SYNCHRONIZE, APPEND_DATA, WRITE_DATA, READ_ACL, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, READ_DATA, DELETE] Owner~Principal: false --- Example of a SUCCEEDING Windows 10 system: --- Owner: DLR\user_b (User) ACL: Principal: NT-AUTORITÄT\SYSTEM (Well-known group) Type: ALLOW Permissions: [WRITE_NAMED_ATTRS, READ_DATA, SYNCHRONIZE, READ_ATTRIBUTES, WRITE_OWNER, DELETE_CHILD, APPEND_DATA, WRITE_ACL, WRITE_ATTRIBUTES, DELETE, WRITE_DATA, READ_NAMED_ATTRS, EXECUTE, READ_ACL] Owner~Principal: false ACL: Principal: VORDEFINIERT\Administratoren (Alias) Type: ALLOW Permissions: [WRITE_NAMED_ATTRS, READ_DATA, SYNCHRONIZE, READ_ATTRIBUTES, WRITE_OWNER, DELETE_CHILD, APPEND_DATA, WRITE_ACL, WRITE_ATTRIBUTES, DELETE, WRITE_DATA, READ_NAMED_ATTRS, EXECUTE, READ_ACL] Owner~Principal: false ACL: Principal: DLR\user_b (User) Type: ALLOW Permissions: [WRITE_NAMED_ATTRS, READ_DATA, SYNCHRONIZE, READ_ATTRIBUTES, WRITE_OWNER, DELETE_CHILD, APPEND_DATA, WRITE_ACL, WRITE_ATTRIBUTES, DELETE, WRITE_DATA, READ_NAMED_ATTRS, EXECUTE, READ_ACL] Owner~Principal: true --- Example of a SUCCEEDING Windows Server system, running as administrator; here, the ownership was assigned to a group, which is also what passes the check, so the whole group would retain access; is this the indended result? --- Owner: VORDEFINIERT\Administratoren (Alias) ACL: Principal: NT-AUTORITÄT\SYSTEM (Well-known group) Type: ALLOW Permissions: [DELETE_CHILD, WRITE_DATA, READ_ATTRIBUTES, EXECUTE, READ_ACL, READ_DATA, DELETE, WRITE_OWNER, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, APPEND_DATA, SYNCHRONIZE, WRITE_NAMED_ATTRS, WRITE_ACL] Owner~Principal: false ACL: Principal: VORDEFINIERT\Administratoren (Alias) Type: ALLOW Permissions: [DELETE_CHILD, WRITE_DATA, READ_ATTRIBUTES, EXECUTE, READ_ACL, READ_DATA, DELETE, WRITE_OWNER, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, APPEND_DATA, SYNCHRONIZE, WRITE_NAMED_ATTRS, WRITE_ACL] Owner~Principal: true ACL: Principal: WIN-redacted\Administrator (User) Type: ALLOW Permissions: [DELETE_CHILD, WRITE_DATA, READ_ATTRIBUTES, EXECUTE, READ_ACL, READ_DATA, DELETE, WRITE_OWNER, WRITE_ATTRIBUTES, READ_NAMED_ATTRS, APPEND_DATA, SYNCHRONIZE, WRITE_NAMED_ATTRS, WRITE_ACL] Owner~Principal: false --- ``` ### Other information _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
