805 – scp-ing using a regular user created files in ROOT directory which was NOT writable for that user

Bug 805 - scp-ing using a regular user created files in ROOT directory which was NOT writable for that user

Summary: scp-ing using a regular user created files in ROOT directory which was NOT wr...

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	scp (show other bugs)
Version:	3.6.1p2
Hardware:	ix86 Linux

Importance:	P2 security
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-03 13:05 AEDT by wim delvaux
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description wim delvaux 2004-03-03 13:05:08 AEDT

Command : 
 
scp SomeLocalFile USER@Host:/ 	# in fact the / was a type-o 
 
Password for USER was given and entered 
 
File was created .. under root of HOST .  However ls -la of that ROOT directory showed 
755 rights and owned by root.  So USER is NOT allowed to write files there. 
 
This can mean that any user can copy a file over the vmlinux kernel 
 
This is a SEVER error. 
 
I do not know if other versions of ssh/scp are affected.  My version is 2.6.1P2 (Debian 
SID)

Comment 1 Ben Lindstrom 2004-03-03 13:13:04 AEDT

yume:~ mouring$ scp x mouring@SITE:/
Enter passphrase for key '/Users/mouring/.ssh/id_rsa': 
scp: /x: Permission denied
yume:~ mouring$ ssh -V
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

I can't replicate this with Apple ssh (which is OpenSSH Portable + GSSAPI + security patches).  

Plus somehow I doubt this bug is even valid since the remote 'scp' is ran as USER@

Comment 2 Tim Rice 2004-03-03 13:16:07 AEDT

tim@uw713-UnixWare 210% ls -ld /
drwxr-xr-x   47 root     sys            4096 Feb 26 03:26 /
tim@uw713-UnixWare 211% scp /tmp/x tim@localhost:/
tim@localhost's password:
scp: /x: Permission denied
tim@uw713-UnixWare 212% ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
tim@uw713-UnixWare 213%
tim@ibm365 52%

Can't duplicate here.

Comment 3 Damien Miller 2004-03-03 13:42:50 AEDT

Can you recreate with OpenSSH 3.8p1?

Comment 4 Darren Tucker 2004-03-03 14:17:19 AEDT

Debian uses PAM by default, maybe it's a PAM-specific thing?

Wim, please record the output of "scp -vvv SomeLocalFile USER@Host:/; ssh
USER@Host ls -l /SomeLocalFile" and use "Create a New Attachment" to attach it
to this bug.

Also, if the bug is with the Debian-supplied package, have you reported it to
Debian?

Comment 5 Colin Watson 2004-03-30 20:56:55 AEST

On Debian with ssh 3.8p1-2:

  [cjwatson@cairhien ~]$ ls -l foo
  -rw-r--r--    1 cjwatson cjwatson        0 Mar 30 11:30 foo
  [cjwatson@cairhien ~]$ ls -ld /
  drwxr-xr-x   23 root     root         4096 Mar 22 02:47 /
  [cjwatson@cairhien ~]$ scp foo cjwatson@localhost:/
  scp: /foo: Permission denied

I can't think of anything PAM-related that might cause this.

Comment 6 Darren Tucker 2004-03-30 21:27:47 AEST

Since none of us can reproduce this, without the debugging info there's nothing
else we can do.  Please reopen if you have the debugging to attach.  (Thanks Colin).

Comment 7 Markus Friedl 2004-03-30 22:17:33 AEST

i've seen people installing scp setuid root.

then things like this happen.

Comment 8 Damien Miller 2004-04-14 12:24:20 AEST

Mass change of RESOLVED bugs to CLOSED