Bug 2060

Summary: sshd tries to use chdir to users home directory as root
Product: Portable OpenSSH Reporter: Peter Gray <metadalek>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: djm
Priority: P5    
Version: 6.1p1   
Hardware: SPARC   
OS: Solaris   

Description Peter Gray 2013-01-11 09:31:38 AEDT 
The chdir in session.c around line 1736 appears to be performed while sshd is running as the root user. This fails on systems where root does not have access to the users home directory. Examples are NFS mounted directories where the client machine does not have root trust (root user is mapped to nobody etc).

I think sshd should either change uid to the target user before this segment of code is executed and maintain euid root or vice versa. 

I will experiment with a fix myself.
Comment 1 Peter Gray 2013-01-11 11:31:13 AEDT 
More info:

This seems to occur only if use_login is set. If not, the uid has already been set to the target user and all works as expected.

One fix is if running as root, set the effective uid of the process to the target user before the call to chdir and reset euid to root after the rc files have been read. A better fix is to avoid the while chdir and rc file stuff if use_login is set.
Comment 2 Damien Miller 2020-01-25 17:53:06 AEDT 
UseLogin was deprecated some time ago, the only remaining chdir() definitely happens after privileges are dropped. The calls occur in the same function:

https://github.com/openssh/openssh-portable/blob/V_8_1_P1/session.c#L1546
https://github.com/openssh/openssh-portable/blob/V_8_1_P1/session.c#L1622
Comment 3 Damien Miller 2021-04-23 15:09:42 AEST 
closing resolved bugs as of 8.6p1 release