[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-20 00:09:48 +0100, Christoph Anton Mitterer wrote:
> On Thu, 2015-03-19 at 23:58 +0100, Vincent Lefevre wrote: 
> > But at least the user could use non-standard (thus unused by the
> > system) variables to pass information to the remote side (in my case,
> > I used LC_CHARMAP). After this change only the standard variables can
> > be passed, but one shouldn't use them to pass information other that
> > what these variables normally carry.
> Well but preventing this is the whole idea of AcceptEnv.
> If someone really needs it, it shouldn't be impossible to let the admin
> allow it (perhaps on a per-user basis), or to use a more appropriate way
> of passing information.

Unfortunately, some admins want to stick with Debian's default config
(even when this config has a well-known security vulnerability[*]).

[*] https://gforge.inria.fr/tracker/index.php?func=detail&aid=18743&group_id=1&atid=110

> > IMHO, this is silly. Passing information to the remote side is
> > useful, and completely safe as long as the environment variable
> > is not used by the system.
> Which you cannot really know whether there's anything which does.

The fact is that Debian doesn't use non-standard LC_* variables.

> > > and both is done for good reasons (security).
> > I don't see how the change could improve security.
> Just because you don't know a program which uses
> LC_ALLOW_ARBITRARY_ACCESS to allow "breaking out" the program doesn't
> mean there is none.

This doesn't happen in Debian. Or give some package name...

If there's a risk of security vulnerability, it probably comes from
the standard variables used by the system: by passing an invalid
value (with special characters, or a very long value), the user may
trigger a bug that might let him run arbitrary code. So, it would be
even better to disallow these standard variables.

And if you assume that a program can use LC_ALLOW_ARBITRARY_ACCESS
for some obscure reason, why not assuming that a program can behave
in a special way with special values in standard locales variable?

> Striping "unsafe" / "unknown" env vars is common practise for many
> programs (e.g. sudo, suexec and things like that).

But these utilities are used by the admin, who can already control
everything. By default, an end user cannot use sudo at all. On the
contrary, once openssh-server is installed, the user can connect
via ssh without a special config from the admin: concerning
AllowUsers, by default, login is allowed for all users. That is,
the default is permissive.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: