[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#539030: marked as done (openssh-server: 'unpredictable' umask for remote users / depending on umask during (re)start)

Your message dated Fri, 31 Jul 2009 16:17:09 +0000
with message-id <E1MWun7-00038W-8g@ries.debian.org>
and subject line Bug#539030: fixed in openssh 1:5.1p1-7
has caused the Debian Bug report #539030,
regarding openssh-server: 'unpredictable' umask for remote users / depending on umask during (re)start
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
539030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539030
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:5.1p1-5
Severity: important


Problem:
    It's difficult to create a predictable environment for restricted users
    (e.g. upload account for shared hosting).

Explanation:
    You are root. For some reason your current umask is e.g. 563. You don't pay
    attention to your current umask. You restart the OpenSSH Server by invoking
    "/etc/init.d/sshd restart". Now your weird umask applies to new remote
    users even if they are chrooted and restricted to internal-sftp. (E.g. some
    user connects with WinSCP, creates a folder and now its permissions are
    -w- --x r--).

    Configuration (/etc/ssh/sshd_config):
      | [...]
      | Match Group sftponly
      |     ChrootDirectory /home-restricted/%u
      |     X11Forwarding no
      |     AllowTcpForwarding no
      |     ForceCommand internal-sftp

Suggestion:
    Add "umask 022" to the init-script or ask the OpenSSH team to provide
    an 'default umask' option.


-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-4-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.25                  Debian package management system
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny1         SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:5.1p1-7

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.1p1-7_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_5.1p1-7_i386.udeb
openssh-client_5.1p1-7_i386.deb
  to pool/main/o/openssh/openssh-client_5.1p1-7_i386.deb
openssh-server-udeb_5.1p1-7_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_5.1p1-7_i386.udeb
openssh-server_5.1p1-7_i386.deb
  to pool/main/o/openssh/openssh-server_5.1p1-7_i386.deb
openssh_5.1p1-7.diff.gz
  to pool/main/o/openssh/openssh_5.1p1-7.diff.gz
openssh_5.1p1-7.dsc
  to pool/main/o/openssh/openssh_5.1p1-7.dsc
ssh-askpass-gnome_5.1p1-7_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_5.1p1-7_i386.deb
ssh-krb5_5.1p1-7_all.deb
  to pool/main/o/openssh/ssh-krb5_5.1p1-7_all.deb
ssh_5.1p1-7_all.deb
  to pool/main/o/openssh/ssh_5.1p1-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 539030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 31 Jul 2009 16:28:10 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.1p1-7
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 538301 539030
Changes: 
 openssh (1:5.1p1-7) unstable; urgency=low
 .
   * Update config.guess and config.sub from autotools-dev 20090611.1
     (closes: #538301).
   * Set umask to 022 in the init script as well as postinsts (closes:
     #539030).
   * Add ${misc:Depends} to keep Lintian happy.
   * Use 'which' rather than 'type' in maintainer scripts.
   * Upgrade to debhelper v7.
Checksums-Sha1: 
 7e4938057ba31eb2a88cde43c79e0bda7f80330a 1499 openssh_5.1p1-7.dsc
 28737431597d9a4ae4ea0d7055cf13463c4d815b 228052 openssh_5.1p1-7.diff.gz
 5d4f48c0dce9c64f798a6cbd492216ea3e1473f9 1214 ssh_5.1p1-7_all.deb
 26d5000fc8be31a7ab45fc970b42674cb174b78c 116276 ssh-krb5_5.1p1-7_all.deb
 fe264c2154ec67a905c711a6b7725c7b934c68e5 813092 openssh-client_5.1p1-7_i386.deb
 0ca48c0fc5afba558f152084a02718fe2a169a84 293498 openssh-server_5.1p1-7_i386.deb
 337ff344f53dcfc74895791c5c5b9a31e82ac083 123826 ssh-askpass-gnome_5.1p1-7_i386.deb
 e6d5dbcb581b5161377c0e083852f5c62dec46e3 176512 openssh-client-udeb_5.1p1-7_i386.udeb
 3b16987205182df0e02910d85a9f453682570261 197882 openssh-server-udeb_5.1p1-7_i386.udeb
Checksums-Sha256: 
 ed49e511f7ba944da2a2534f7bb04887fff13750c57afc5be057fe14fdb75384 1499 openssh_5.1p1-7.dsc
 0f59ba48b33e76fecd5b2992c3004c935016c09df85a25dc554afa807a8d8dd2 228052 openssh_5.1p1-7.diff.gz
 3d2cf3b5d11b2b3652f8d5b2909afd5636590a603a17f476befcca13ecbf905f 1214 ssh_5.1p1-7_all.deb
 c76c5a78d377f7269b3d8d781795302fd0dd912d01f36d2b79ef7fc1c389e999 116276 ssh-krb5_5.1p1-7_all.deb
 99542da1e6c6d7a13529f3be323d0666e0dabf567ce4eb720c742704fdb8c038 813092 openssh-client_5.1p1-7_i386.deb
 2dc79f4b5c48417b1baa3e41184fe9308a608d91db8243e43ff60d243566874d 293498 openssh-server_5.1p1-7_i386.deb
 6a70db26631428c61b97942a03eb724804840fa89f6831d6448f60d8ae9d790e 123826 ssh-askpass-gnome_5.1p1-7_i386.deb
 46d6c7de68a12f3e51be4469c49edb191ee65edb61ab04da0da40710e645c727 176512 openssh-client-udeb_5.1p1-7_i386.udeb
 85ed25c770c2f992232551e03480b74014bd1df076ba10a163451f74772e151a 197882 openssh-server-udeb_5.1p1-7_i386.udeb
Files: 
 6a1e42fa72f83c1c0820bb9c5fdaeafa 1499 net standard openssh_5.1p1-7.dsc
 a1ff8922abeb45d2f343efcd90ba211a 228052 net standard openssh_5.1p1-7.diff.gz
 c05a7426e2555edf0d7669230d4c43e5 1214 net extra ssh_5.1p1-7_all.deb
 34ee22c59d489c9f4722f20a4e80d6e2 116276 net extra ssh-krb5_5.1p1-7_all.deb
 0539f2583b9a989966b84bfaf973cff8 813092 net standard openssh-client_5.1p1-7_i386.deb
 b14b4d3379fe8bd76556b125602aef5e 293498 net optional openssh-server_5.1p1-7_i386.deb
 0c00dafe3b1da9021c7985263a40fe24 123826 gnome optional ssh-askpass-gnome_5.1p1-7_i386.deb
 48613082435ba5646f6d347fb3a27f95 176512 debian-installer optional openssh-client-udeb_5.1p1-7_i386.udeb
 3d5fde0ec7c4e6feab3f775985ce8353 197882 debian-installer optional openssh-server-udeb_5.1p1-7_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFKcxRj9t0zAhD6TNERAqLdAJ402+sBLT541BuUcDqSoX1AufezkgCdHk7v
SCZ/2nOn3oy2o2pi3lGStSc=
=uQex
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: