Bug 2874

Summary: Privilege-dropping fails on some container systems
Product: Portable OpenSSH Reporter: Nicko van Someren <nicko>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: dtucker
Priority: P5    
Version: -current   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2852    
Attachments:
Description Flags
PRIV_{START_END}: check if seteuid calls are needed before calling none

Description Nicko van Someren 2018-06-05 06:44:07 AEST 
The main() function for in ssh.c calls PRIV_END even when the user is unprivileged to start with. On several cloud 'Function as a service' platforms, including AWS Lambda and Heroku, this fails with with an "Operation not permitted" error.

This appears to be to do with the way that sandboxing capabilities of these platforms restrict calls to seteuid() and the state of the real, effective and saved user IDs.

It would be helpful if the PRIV_END and PRIV_START calls checked if there were any privileges to drop or gain and not call seteuid() if there is no privilege to be dropped.
Comment 1 Darren Tucker 2018-07-06 13:37:15 AEST 
Created attachment 3162 [details]
PRIV_{START_END}: check if seteuid calls are needed before calling
Comment 2 Darren Tucker 2018-07-06 13:37:39 AEST 
does this work for you?
Comment 3 Darren Tucker 2018-07-06 14:35:02 AEST 
Looking at the specification for seteuid it looks like those platforms are not compliant.   IEEE Std 1003.1 both 2004 and 2018 Editions specify the following reasons for seteuid to fail:

The seteuid() function shall fail if:

[EINVAL]
The value of the uid argument is invalid and is not supported by the implementation.
[EPERM]
The process does not have appropriate privileges and uid does not match the real user ID or the saved set-user-ID.

Neither of those seem to be applicable in this case though.

It makes me wonder if there any reason to still support ssh being setuid at all these days.  Certainly the only use cases I can think of are long dead.
Comment 4 Darren Tucker 2018-07-19 22:50:40 AEST 
The PRIV_START/PRIV_END code has been removed entirely including the setuid calls which should fix your issue:
https://github.com/openssh/openssh-portable/commit/258dc8bb07dfb35a46e52b0822a2c5b7027df60a

This will be in the 7.8 release.

Thanks.
Comment 5 Damien Miller 2018-10-19 17:17:23 AEDT 
Close RESOLVED bugs with the release of openssh-8.0