Bug 1599 - "ForceCommand internal-sftp" not working as expected
Summary: "ForceCommand internal-sftp" not working as expected
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.2p1
Hardware: ix86 Linux
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_5_4
  Show dependency treegraph
 
Reported: 2009-05-19 06:41 AEST by openssh-bugs
Modified: 2010-03-26 10:52 AEDT (History)
1 user (show)

See Also:

Attachments
downgrade error message on subsystem executable stat() failure to debug (787 bytes, patch)
2009-10-06 15:56 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description openssh-bugs 2009-05-19 06:41:14 AEST 
Hello,
I tried setting up sshd for chrooted login and sftp-only access. My /etc/ssh/sshd_config contains (among other stuff):

Subsystem sftp /usr/lib/openssh/sftp-server
Match User foo
        ChrootDirectory /srv/foo
        ForceCommand internal-sftp

The "Subsystem" option is set by default on debian systems.
The manual page says for "ForceCommand": Specifying a command of “internal-sftp” will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory.

When I connect with sftp, sftp requests the subsystem 'sftp'. The output from sshd is:

subsystem request for sftp
subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
Connection closed by 127.0.0.1

Setting "Subsystem sftp internal-sftp" works around the problem, but that option is not allowed inside a Match block.

If the stat() call in session_subsystem_req succeeds, is_subsystem is set to SUBSYSTEM_EXT; then do_exec is called, it overrides this and sets is_subsystem = SUBSYSTEM_INT_SFTP.

I believe that calling stat() on the external program and then calling the internal sftp handler is not intended behaviour.

Regards
Jörn Heissler
Comment 1 Darren Tucker 2009-07-31 11:50:47 AEST 
look at this for 5.4
Comment 2 Damien Miller 2009-10-06 15:56:13 AEDT 
Created attachment 1697 [details]
downgrade error message on subsystem executable stat() failure to debug

I think we can downgrade the error to a warning, but I need to check.

dtucker also points out that this will allow the use of subsystems on restricted shells that disallow absolute paths.
Comment 3 Darren Tucker 2009-11-20 10:43:51 AEDT 
Comment on attachment 1697 [details]
downgrade error message on subsystem executable stat() failure to debug

>Index: session.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/session.c,v
>retrieving revision 1.247
>diff -u -p -r1.247 session.c
>--- session.c	6 Oct 2009 04:46:40 -0000	1.247
>+++ session.c	6 Oct 2009 04:54:18 -0000
>@@ -1717,11 +1717,10 @@ session_subsystem_req(Session *s)
> 			cmd = options.subsystem_args[i];
> 			if (!strcmp(INTERNAL_SFTP_NAME, prog)) {
> 				s->is_subsystem = SUBSYSTEM_INT_SFTP;
>-			} else if (stat(prog, &st) < 0) {
>-				error("subsystem: cannot stat %s: %s", prog,
>-				    strerror(errno));
>-				break;
> 			} else {

btw: unbalanced bracket

>+				if (stat(prog, &st) < 0) {
>+					debug("subsystem: cannot stat %s: %s",
>+					    prog, strerror(errno));
> 				s->is_subsystem = SUBSYSTEM_EXT;
> 			}
> 			debug("subsystem: exec() %s", cmd);
Comment 4 Darren Tucker 2009-11-20 11:16:22 AEDT 
This has been committed and will be in 5.4.  Thanks for the report.
Comment 5 Darren Tucker 2010-03-26 10:52:08 AEDT 
With the release of 5.4p1, this bug is now considered closed.