Bug 3470 - Cannot run SSH with a different effective userid
Summary: Cannot run SSH with a different effective userid
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 9.0p1
Hardware: 68k All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-12 10:21 AEST by John Bien
Modified: 2022-08-12 10:43 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Bien 2022-08-12 10:21:00 AEST 
Trying to run ssh from a setuid application, but it always tries to use the .ssh directory for the real user (which it cannot read), instead of the effective user.

ssh.c is hard-coded to always use the UID to determine the home directory:
     pw = getpwuid(getuid());

Is there a security concern with allowing the user to specify their .ssh folder?   Or at least use geteuid() instead of getuid()?

Documentation made me believe the homedir was based on the USER environment variable ("USER    Set to the path of the user's home directory"), but now I see the ENVIRONMENT section of the manpage specifies the variables it sets (unlike most ENVIRONMENT sections that mention variables that effect the operation).
Comment 1 Darren Tucker 2022-08-12 10:43:06 AEST 
In the past, ssh(1) could be installed setuid root (for a couple of reasons mostly relating to hostbased and rhosts authentication).  Referencing home directories by environment variables under those conditions would be a potential security problem.

Rhosts auth is long gone, hostbased auth has used a small setuid helper (ssh-keysign) for many years, and a few years ago (in v7.8) we removed support for installing ssh as setuid.

So yes there was a reason for it, but that reason is no longer there.  Changing the behaviour would be a potentially incompatible change, however, so would need to be considered carefully.