2092 – AuthorizedKeysCommand: bad ownership or modes for file

Bug 2092 - AuthorizedKeysCommand: bad ownership or modes for file

Summary: AuthorizedKeysCommand: bad ownership or modes for file

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	6.2p1
Hardware:	amd64 Linux

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_6_3
	Show dependency tree / graph

Reported:	2013-04-16 01:45 AEST by descala
Modified:	2023-01-13 13:38 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch uid in auth2-pubkey.c (391 bytes, patch) 2013-04-16 01:45 AEST, descala	no flags	Details \| Diff
Document requirement for root-ownership of AuthorizedKeysCommand (826 bytes, patch) 2013-04-17 09:43 AEST, Damien Miller	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description descala 2013-04-16 01:45:33 AEST

Created attachment 2245 [details]
Patch uid in auth2-pubkey.c

If AuthorizedKeysCommandUser is set to a non-root user, AuthorizedKeysCommand is always reported as unsafe:

debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Unsafe AuthorizedKeysCommand: bad ownership or modes for file /xxx
debug1: restore_uid: 0/0

the bug is easily fixed with the attached patch.

Comment 1 Damien Miller 2013-04-16 11:08:16 AEST

What are the ownership and modes of the file in question?

Comment 2 Darren Tucker 2013-04-16 12:01:18 AEST

and what is AuthorizedKeysCommandUser set to?

Comment 3 descala 2013-04-16 15:35:48 AEST

The issue is, given any non-root user to AuthorizedKeysCommandUser, and given any combination of file permissions I am not able to avoid "bad ownership or modes for file".

An instance of this behavior

AuthorizedKeysCommand /test.sh
AuthorizedKeysCommandUser user

set owner to user.user and file permissions to 0500

Comment 4 Damien Miller 2013-04-17 09:43:44 AEST

Created attachment 2248 [details]
Document requirement for root-ownership of AuthorizedKeysCommand

Requiring the command to be root-owned was intentional, but I realise that I failed to document that. This patch fixes the manual page to reflect this.

Comment 5 Damien Miller 2013-04-19 11:00:36 AEST

Documentation updated.

Comment 6 Damien Miller 2015-08-11 23:03:48 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1