Bug 1532

Summary: SSH ignoring "StrictModes no"
Product: Portable OpenSSH Reporter: Marko Štamcar <marko>
Component: sftp-serverAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm, zerbaugh
Priority: P3    
Version: 5.1p1   
Hardware: ix86   
OS: Linux   
URL: http://www.networksecurityarchive.org/html/Secure-Shell/2005-08/msg00058.html
Bug Depends on:    
Bug Blocks: 1626    

Description Marko Štamcar 2008-10-25 08:53:25 AEDT 
I'm posting a bug another user described so well I don't think I need to write my own description:

We have a very strange problem with SSH. It looks like sshd is ignoring
"StrictModes no" and still doing strict permission checking.
Can anyone give me some hint what the problem might be?

Problem:
As long as the various users directory (e.g. User XA302) is mode drwxr-sr-x
everything is fine. But if I change this to drwxrwsr-x SSH complains
"Authentication refused: bad ownership or modes for directory
/appl/chroot/cp/XA302". We need group write permission on /appl/chroot/cp/...
for our jobs which do further processing of the transfered files.
So I set "StrictModes no" in sshd_config. 
Does anyone have a similar problem or knows why SSH might possibly ignore
"StrictModes no"?
Comment 1 Damien Miller 2009-01-21 21:47:07 AEDT 
I can't replicate this. Please send a debug trace from the server ("sshd -ddd") failing to authenticate.
Comment 2 Damien Miller 2009-02-14 15:07:12 AEDT 
Hang on, are you talking about ChrootDirectory or authorized_keys?
Comment 3 Marko Štamcar 2009-02-15 02:07:13 AEDT 
We're talking about ChrootDirectory and the "new" internal-sftp feature in SSH.
Comment 4 Damien Miller 2009-02-15 17:45:12 AEDT 
StrictModes does not apply to ChrootDirectory.
Comment 5 zerbaugh 2009-07-02 00:43:58 AEST 
"StrictModes does not apply to ChrootDirectory."

Is that the intended behavior, or just the current state of things? It seems at odds with the man page, which states:

"StrictModes: Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login."
Comment 6 Damien Miller 2009-11-10 14:00:18 AEDT 
This is intentional, see https://bugzilla.redhat.com/show_bug.cgi?id=522141 for what happens when the checks are relaxed.

I have updated the manpage to clarify this.
Comment 7 Darren Tucker 2010-03-26 10:50:46 AEDT 
With the release of 5.4p1, this bug is now considered closed.