Bug#581697: allows group-writable files owned by random groups
On Sat, May 15, 2010 at 11:58:50AM -0400, Joey Hess wrote: > Colin Watson wrote: > > Are you sure you aren't a member of group games? > > I am not a member of games, The games user, though is, via /etc/passwd. > Not via /etc/group. > > j...@gnu:~>getent group games > games:x:60: > j...@gnu:~>getent passwd games > games:x:5:60:games:/usr/games:/bin/sh > j...@gnu:~>sudo -u games id > uid=5(games) gid=60(games) groups=60(games) > > Shouldn't the passwd group membership also be checked? Ah, fair point, I was only checking supplementary groups. I'll fix that, thanks. > > A zero-member group, or any random group containing only the user, > > should clearly be fine in my book because the ownership of ~/.ssh/config > > by that group doesn't permit any other user to write to the file. > > I think that zero-member groups are typically used by sgid binaries, > so assuming noone else can access them is not entirely safe. You've persuaded me. The next upload of openssh will only permit groups with exactly one member. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#581697: allows group-writable files owned by random groups
Colin Watson wrote: > On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote: > > I don't really understand the point of checking who can write to the > > file but assuming it's general paranoia, I think you weakened it too far > > with the user group patch. > > > > -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config > > j...@gnu:~/.ssh>ssh localhost echo oops > > oops > > > > -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config > > j...@gnu:~/.ssh>ssh localhost echo oops > > oops > > > > -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config > > j...@gnu:~/.ssh>ssh localhost echo oops > > Bad owner or permissions on /home/joey/.ssh/config > > > > So, it looks like any group with 0 or 1 member is allowed to own file > > file, even if the user is not a member. (Here the scanner group has 2 > > members.) > > Are you sure you aren't a member of group games? I am not a member of games, The games user, though is, via /etc/passwd. Not via /etc/group. j...@gnu:~>getent group games games:x:60: j...@gnu:~>getent passwd games games:x:5:60:games:/usr/games:/bin/sh j...@gnu:~>sudo -u games id uid=5(games) gid=60(games) groups=60(games) Shouldn't the passwd group membership also be checked? > A zero-member group, or any random group containing only the user, > should clearly be fine in my book because the ownership of ~/.ssh/config > by that group doesn't permit any other user to write to the file. I think that zero-member groups are typically used by sgid binaries, so assuming noone else can access them is not entirely safe. -- see shy jo signature.asc Description: Digital signature
Bug#581697: allows group-writable files owned by random groups
On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote: > I don't really understand the point of checking who can write to the > file but assuming it's general paranoia, I think you weakened it too far > with the user group patch. > > -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > oops > > -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > oops > > -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > Bad owner or permissions on /home/joey/.ssh/config > > So, it looks like any group with 0 or 1 member is allowed to own file > file, even if the user is not a member. (Here the scanner group has 2 > members.) Are you sure you aren't a member of group games? $ getent group games games:x:60:cjwatson $ getent group ssl-cert ssl-cert:x:108:postgres $ sudo chgrp games ~/.ssh/config $ ssh localhost echo oops oops $ sudo chgrp ssl-cert ~/.ssh/config $ ssh localhost echo oops Bad owner or permissions on /home/cjwatson/.ssh/config A zero-member group, or any random group containing only the user, should clearly be fine in my book because the ownership of ~/.ssh/config by that group doesn't permit any other user to write to the file. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#581697: allows group-writable files owned by random groups
Package: openssh-client Version: 1:5.5p1-3 Severity: normal I don't really understand the point of checking who can write to the file but assuming it's general paranoia, I think you weakened it too far with the user group patch. -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config j...@gnu:~/.ssh>ssh localhost echo oops oops -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config j...@gnu:~/.ssh>ssh localhost echo oops oops -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config j...@gnu:~/.ssh>ssh localhost echo oops Bad owner or permissions on /home/joey/.ssh/config So, it looks like any group with 0 or 1 member is allowed to own file file, even if the user is not a member. (Here the scanner group has 2 members.) -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.112add and remove users and groups ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii dpkg1.15.7.1 Debian package management system ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libedit22.11-20080614-1 BSD editline and history libraries ii libgssapi-krb5-21.8.1+dfsg-2 MIT Kerberos runtime libraries - k ii libssl0.9.8 0.9.8n-1 SSL shared libraries ii passwd 1:4.1.4.2-1 change and administer password and ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-client recommends: ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-client suggests: pn keychain (no description available) pn libpam-ssh (no description available) pn ssh-askpass(no description available) -- no debconf information -- see shy jo signature.asc Description: Digital signature
