Mailing List Archive: scp creating root files

scp creating root files

Jun 2, 2000, 6:48 AM

Post #1 of 8 (1322 views)

Folks,

I noticed that whenever I scp'ed a file to my test server (running OpenSSH
2.1.0p2, and then tested with p3) it was created owned by root.

/home/me $ ls -al .profile
-rwx------ 1 me group 1056 Jan 18 1999 .profile
/home/me $ scp .profile me@server:test
me@server's password:
.profile 100%
|*********************************************************************************|

508 00:00

/home/me $ ls -al test
-rwx------ 1 root system 1056 Jun 2 15:37 test

This is the same whether I force protocol version 1.5 or 2. The same also
occurs using DSA authentication. Can someone check to see if they can
reproduce this? The following appears in verbose output:

Sending file modes: C0700 508 .profile

The file mode is always correct but the user is always wrong (I don't
allow direct root access to servers).

Any ideas?
--------------------------------------------------------
Doug Manton, AT&T EMEA Firewall and Security Solutions

douglas.manton@uk.ibm.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"

Re: scp creating root files [ In reply to ]

pekkas at netcore

Jun 2, 2000, 7:07 AM

Post #2 of 8 (1311 views)

Permalink

> Sending file modes: C0700 508 .profile
>
> The file mode is always correct but the user is always wrong (I don't
> allow direct root access to servers).

Is your UID the same on both

--
Pekka Savola "Tell me of difficulties surmounted,
Pekka.Savola@netcore.fi not those you stumble over and fall"

Re: scp creating root files [ In reply to ]

douglas.manton at uk

Jun 2, 2000, 7:17 AM

Post #3 of 8 (1321 views)

Permalink

> Is your UID the same on both

Yes and no. I repeated the test locally:

scp .profile me@lcoalhost:test

and get the same result.

--------------------------------------------------------
Doug Manton, AT&T EMEA Firewall and Security Solutions

douglas.manton@uk.ibm.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"

Re: scp creating root files [ In reply to ]

naz at warkworth

Jun 2, 2000, 8:07 AM

Post #4 of 8 (1313 views)

Permalink

Is your scp, ssh, or sshd SUID root?

naz

Re: scp creating root files [ In reply to ]

douglas.manton at uk

Jun 2, 2000, 9:00 AM

Post #5 of 8 (1314 views)

Permalink

> Is your scp, ssh, or sshd SUID root?

Nope. All mode 755.

I have noticed that all commands executed via ssh run as root.

ssh -l me localhost touch test

/home/me $ ls -l test
-rw-r--r-- 1 root system 0 Jun 2 17:18 test

I have also discovered that the problem goes away when UseLogin is set to
"no"! Changing line 834 in session.c to:

if (command != NULL || !options.use_login) {

solves the problem for me.

--------------------------------------------------------
Doug Manton, AT&T EMEA Firewall and Security Solutions

douglas.manton@uk.ibm.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"

RE: scp creating root files [ In reply to ]

robert.a.wakehouse at intel

Jun 2, 2000, 1:53 PM

Post #6 of 8 (1315 views)

Permalink

I am attempting to build OpenSSH on AIX in AFS environment.
I've succeeded in building Zlib and OpenSSL, but OpenSSH
insists that it needs krb.h, kafs.h, and perhaps libkrb. I have
not found any of these on this AIX machine (nor on others I've
checked).

The INSTALL document seems to insist that the --with-kerberos4
option is required for AFS (as is --with-AFS, of course).

If someone can explain exactly what is necessary, and where to
find it or how to obtain it, I would be most grateful. Thanks!

Bob Wakehouse
Robert.A.Wakehouse@intel.com
503-696-6325
Beaverton, OR

RE: scp creating root files [ In reply to ]

dugsong at monkey

Jun 2, 2000, 1:58 PM

Post #7 of 8 (1310 views)

Permalink

On Fri, 2 Jun 2000, Wakehouse, Robert A wrote:

> I've succeeded in building Zlib and OpenSSL, but OpenSSH
> insists that it needs krb.h, kafs.h, and perhaps libkrb. I have
> not found any of these on this AIX machine (nor on others I've
> checked).

you need the KTH krb4 distribution.

ftp://ftp.pdc.kth.se/pub/krb/src/

-d.

---
http://www.monkey.org/~dugsong/

Re: scp creating root files [ In reply to ]

markus.friedl at informatik

Jun 5, 2000, 11:27 PM

Post #8 of 8 (1315 views)

Permalink

On Fri, Jun 02, 2000 at 06:00:32PM +0100, douglas.manton@uk.ibm.com wrote:
> I have also discovered that the problem goes away when UseLogin is set to
> "no"! Changing line 834 in session.c to:

thanks!

UseLogin is not tested and very broken, please use this patch.
otherwise users can login with uid==0 if they use:
$ ssh host /bin/sh

-markus

Index: session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- session.c 2000/05/31 06:36:40 1.16
+++ session.c 2000/06/05 19:53:40 1.17
@@ -746,6 +746,10 @@
extern char **environ;
struct stat st;
char *argv[10];
+
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;

f = fopen("/etc/nologin", "r");
if (f) {