Mailing List Archive: [Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user

[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user

Mar 2, 2004, 6:05 PM

Post #1 of 5 (346 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=805

Summary: scp-ing using a regular user created files in ROOT
directory which was NOT writable for that user
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: scp
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: wim.delvaux@adaptiveplanet.com

Command :

scp SomeLocalFile USER@Host:/ # in fact the / was a type-o

Password for USER was given and entered

File was created .. under root of HOST . However ls -la of that ROOT directory showed
755 rights and owned by root. So USER is NOT allowed to write files there.

This can mean that any user can copy a file over the vmlinux kernel

This is a SEVER error.

I do not know if other versions of ssh/scp are affected. My version is 2.6.1P2 (Debian
SID)

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user [ In reply to ]

bugzilla-daemon at mindrot

Mar 2, 2004, 6:13 PM

Post #2 of 5 (328 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=805

------- Additional Comments From mouring@eviladmin.org 2004-03-03 13:13 -------
yume:~ mouring$ scp x mouring@SITE:/
Enter passphrase for key '/Users/mouring/.ssh/id_rsa':
scp: /x: Permission denied
yume:~ mouring$ ssh -V
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

I can't replicate this with Apple ssh (which is OpenSSH Portable + GSSAPI + security patches).

Plus somehow I doubt this bug is even valid since the remote 'scp' is ran as USER@

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user [ In reply to ]

bugzilla-daemon at mindrot

Mar 2, 2004, 6:16 PM

Post #3 of 5 (328 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=805

------- Additional Comments From tim@multitalents.net 2004-03-03 13:16 -------
tim@uw713-UnixWare 210% ls -ld /
drwxr-xr-x 47 root sys 4096 Feb 26 03:26 /
tim@uw713-UnixWare 211% scp /tmp/x tim@localhost:/
tim@localhost's password:
scp: /x: Permission denied
tim@uw713-UnixWare 212% ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
tim@uw713-UnixWare 213%
tim@ibm365 52%

Can't duplicate here.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user [ In reply to ]

bugzilla-daemon at mindrot

Mar 2, 2004, 6:42 PM

Post #4 of 5 (329 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=805

------- Additional Comments From djm@mindrot.org 2004-03-03 13:42 -------
Can you recreate with OpenSSH 3.8p1?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 805] scp-ing using a regular user created files in ROOT directory which was NOT writable for that user [ In reply to ]

bugzilla-daemon at mindrot

Mar 2, 2004, 7:17 PM

Post #5 of 5 (332 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=805

------- Additional Comments From dtucker@zip.com.au 2004-03-03 14:17 -------
Debian uses PAM by default, maybe it's a PAM-specific thing?

Wim, please record the output of "scp -vvv SomeLocalFile USER@Host:/; ssh
USER@Host ls -l /SomeLocalFile" and use "Create a New Attachment" to attach it
to this bug.

Also, if the bug is with the Debian-supplied package, have you reported it to
Debian?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.