Bug#581697: marked as done (allows group-writable files owned by random groups)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 22 May 2010 23:02:28 +0000
with message-id <E1OFxi8-0007QT-38@ries.debian.org>
and subject line Bug#581697: fixed in openssh 1:5.5p1-4
has caused the Debian Bug report #581697,
regarding allows group-writable files owned by random groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
581697: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581697
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: allows group-writable files owned by random groups
• From: Joey Hess <joeyh@debian.org>
• Date: Fri, 14 May 2010 21:24:50 -0400
• Message-id: <[🔎] 20100515012450.GA4766@gnu.kitenet.net>

Package: openssh-client
Version: 1:5.5p1-3
Severity: normal

I don't really understand the point of checking who can write to the
file but assuming it's general paranoia, I think you weakened it too far
with the user group patch.

-rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config
joey@gnu:~/.ssh>ssh localhost echo oops
oops

-rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config
joey@gnu:~/.ssh>ssh localhost echo oops
oops

-rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config
joey@gnu:~/.ssh>ssh localhost echo oops
Bad owner or permissions on /home/joey/.ssh/config

So, it looks like any group with 0 or 1 member is allowed to own file
file, even if the user is not a member. (Here the scanner group has 2 members.)

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.7.1         Debian package management system
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libedit2                2.11-20080614-1  BSD editline and history libraries
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  passwd                  1:4.1.4.2-1      change and administer password and
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted OpenSS
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-client suggests:
pn  keychain                      <none>     (no description available)
pn  libpam-ssh                    <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- no debconf information

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 581697-close@bugs.debian.org
• Subject: Bug#581697: fixed in openssh 1:5.5p1-4
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 22 May 2010 23:02:28 +0000
• Message-id: <E1OFxi8-0007QT-38@ries.debian.org>

Source: openssh
Source-Version: 1:5.5p1-4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-4_i386.udeb
openssh-client_5.5p1-4_i386.deb
  to main/o/openssh/openssh-client_5.5p1-4_i386.deb
openssh-server-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-4_i386.udeb
openssh-server_5.5p1-4_i386.deb
  to main/o/openssh/openssh-server_5.5p1-4_i386.deb
openssh_5.5p1-4.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-4.debian.tar.gz
openssh_5.5p1-4.dsc
  to main/o/openssh/openssh_5.5p1-4.dsc
ssh-askpass-gnome_5.5p1-4_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-4_i386.deb
ssh-krb5_5.5p1-4_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-4_all.deb
ssh_5.5p1-4_all.deb
  to main/o/openssh/ssh_5.5p1-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 581697@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 May 2010 23:37:20 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 579843 581697 581919
Changes: 
 openssh (1:5.5p1-4) unstable; urgency=low
 .
   [ Sebastian Andrzej Siewior ]
   * Add powerpcspe to architecture list for libselinux1-dev build-dependency
     (closes: #579843).
 .
   [ Colin Watson ]
   * Allow ~/.ssh/authorized_keys and other secure files to be
     group-writable, provided that the group in question contains only the
     file's owner; this extends a patch previously applied to ~/.ssh/config
     (closes: #581919).
   * Check primary group memberships as well as supplementary group
     memberships, and only allow group-writability by groups with exactly one
     member, as zero-member groups are typically used by setgid binaries
     rather than being user-private groups (closes: #581697).
Checksums-Sha1: 
 283186a3e3066519742aee9a15975da648c1fc2a 1701 openssh_5.5p1-4.dsc
 14cfb2428053dc8d6755ac1a32c4fa20343c1abd 234111 openssh_5.5p1-4.debian.tar.gz
 f018aee71a0717c169cae154e7eae86e53fc88e3 880568 openssh-client_5.5p1-4_i386.deb
 e2312d1016502ac77607074bcb724f400643531c 297554 openssh-server_5.5p1-4_i386.deb
 c1ec0b0986a49f3410ee7de8ae2e42427e667f46 1244 ssh_5.5p1-4_all.deb
 3c553288883174406bf0ab385bf66cd6be268b3d 95464 ssh-krb5_5.5p1-4_all.deb
 bf008581058e4079f3b5ce839fb3805ba82cd126 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 dd9aff4745bdb6b7f55de6546e220fcba6b2a013 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 84d707d8aa1c9345b142d107f9ac456139a35efe 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Checksums-Sha256: 
 5f42f3eb3944bda5d8216f369feb95e0fa9ec9a9271b0b9bf37b524f73485462 1701 openssh_5.5p1-4.dsc
 59fc5345a617f3f297d936829af759accc2a710d1de839bc8cdb54c9ee9bd5db 234111 openssh_5.5p1-4.debian.tar.gz
 7f3bca990542a5279a4c16932dbdc987009c5a5a48ee13694b68fe9fa7a00baf 880568 openssh-client_5.5p1-4_i386.deb
 b07228936408f37ecc9174f29b8512de53e9823ed91b6555c51b224b6b994a6d 297554 openssh-server_5.5p1-4_i386.deb
 b821fab4ad7fdfae2663c05df7640d0dc849c086b1e1d5c61c48b313f5fe970a 1244 ssh_5.5p1-4_all.deb
 13fd6e26e439cf57ccb729a70bf647207e7cff0e029ba0f87d462a2de65cffc8 95464 ssh-krb5_5.5p1-4_all.deb
 3fdefda53e550357f7d59fea51202adaf430a8ee9d21dee78b098f7472c79c15 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 d8bca821941b768c97d351968b8a212287822bf7b4ea83b8cc1fb6d15460e2aa 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 f17c9fe3f44fdd081cce9d8ceb69b3899dcbaf097af89f660dfe6ae26ce12556 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Files: 
 194ea11fdf4f582fb966ce2397d95a97 1701 net standard openssh_5.5p1-4.dsc
 dcb5e032b60d6bb881e59a71a1877916 234111 net standard openssh_5.5p1-4.debian.tar.gz
 f21db060ebafa8555a469431efc000aa 880568 net standard openssh-client_5.5p1-4_i386.deb
 6f4e54dd67c2978ad35fc2d4dd073688 297554 net optional openssh-server_5.5p1-4_i386.deb
 0107471a60de025600024b06498a7e0b 1244 net extra ssh_5.5p1-4_all.deb
 6a9debbb7c88fc0b897670d85348a714 95464 net extra ssh-krb5_5.5p1-4_all.deb
 3a6d65f3b7225db5b62c24497786395e 103064 gnome optional ssh-askpass-gnome_5.5p1-4_i386.deb
 9bf3ec427b8ac01e11a8a9a9acc0b0a8 193690 debian-installer optional openssh-client-udeb_5.5p1-4_i386.udeb
 02e23812f5cc38c9c875c0440b7aa573 218538 debian-installer optional openssh-server-udeb_5.5p1-4_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFL+F2e9t0zAhD6TNERAn1TAJ9rwlavocxyM1cYSgA4B5hQMWtnhgCdE5fR
nI9MxJLBX8mqHsaY/pvhXeg=
=m9C4
-----END PGP SIGNATURE-----

--- End Message ---