Bug#1077554: /usr/sbin/sshd: ssh server ChrootDirectory %h does not honor mount -o noexec

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1077554: /usr/sbin/sshd: ssh server ChrootDirectory %h does not honor mount -o noexec
From: Joshua Hudson <joshudson@gmail.com>
Date: Mon, 29 Jul 2024 15:45:57 -0700
Message-id: <[🔎] 172229315784.159785.946410132698064807.reportbug@cedlx.dexter2.cedaron>
Reply-to: Joshua Hudson <joshudson@gmail.com>, 1077554@bugs.debian.org

Package: openssh-server
Version: 1:9.2p1-2+deb12u3
Severity: normal
File: /usr/sbin/sshd

On a previous deploy, ops had configured something like

Subsystem sftp internal-sftp

Match Group filedrop
    ChrootDirectory %h
    AllowTCPForwarding no
    X11Forwarding no

That build of ssh seems to have a bunch of checks knocked out and
does not notice when you mess up the permissions on the .ssh folder.

On trying to test a replacement on a test server I found out this
configuration doesn't work. The test user is Uaaaa, has a home directory
of /u/Uaaaa, and /u is mounted noexec.

Documentation I found says this should work: https://unix.stackexchange.com/a/396684

Adding ForceCommand internal-sftp doesn't help. That's not the problem.

I'm pretty sure I could fix this by adding a statvfs() call to check
if the directory is noexec or not. Getting such a change approved is
harder than making it.

-- System Information:
Debian Release: 12.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-21-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+deb12u7
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+deb12u1
ii  libpam-runtime             1.5.2-6+deb12u1
ii  libpam0g                   1.5.2-6+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.13-1~deb12u1
ii  libsystemd0                252.26-1~deb12u2
ii  libwrap0                   7.6.q-32
ii  lsb-base                   11.6
ii  openssh-client             1:9.2p1-2+deb12u3
ii  openssh-sftp-server        1:9.2p1-2+deb12u3
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.2.13.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.26-1~deb12u2
ii  ncurses-term             6.4-4
ii  xauth                    1:1.1.2-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

Reply to:

Follow-Ups:
- Bug#1077554:
  - From: Joshua Hudson <joshudson@gmail.com>

Prev by Date: Breaking News: Stephen Harper Surprising Disclosure
Next by Date: Processed: your mail
Previous by thread: Breaking News: Stephen Harper Surprising Disclosure
Next by thread: Bug#1077554:
Index(es):
- Date
- Thread