tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

administrators authorized keys file can have read permissions for other users. (#481)

Browse Source
This commit is contained in:
bagajjal 2021-03-09 10:02:51 -08:00 committed by GitHub
parent bc7adf5a84
commit 1a1a2ac5f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
auth.c
View File

@ -527,7 +527,10 @@ auth_openfile(const char *file, struct passwd *pw, int strict_modes,
strerror(errno)); strerror(errno));
return NULL; return NULL;
} }
if (strict_modes && check_secure_file_permission(file, pw, 0) != 0) {
// read permissions for non-admin/non-system accounts are allowed.
// Unix does safe_path_fd() which allows 022 file permissions i.e., allowing read for other users.
if (strict_modes && check_secure_file_permission(file, pw, 1) != 0) {
fclose(f); fclose(f);
logit("Authentication refused."); logit("Authentication refused.");
auth_debug_add("Ignored %s", file_type); auth_debug_add("Ignored %s", file_type);

19
regress/pesterTests/Authorized_keys_fileperm.Tests.ps1
View File

@ -141,6 +141,21 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" {
$o | Should Be "1234" $o | Should Be "1234"
} }
It "$tC.$tI-authorized_keys-positive(other account can read authorized_keys file)" -skip:$skip {
#setup to have current user as owner and grant it full control
Repair-FilePermission -Filepath $authorizedkeyPath -Owner $objUserSid -FullAccessNeeded $adminsSid,$systemSid,$objUserSid -confirm:$false
#add $PwdUser to access the file authorized_keys
$objPwdUserSid = Get-UserSid -User $PwdUser
Set-FilePermission -FilePath $authorizedkeyPath -User $objPwdUserSid -Perm "Read"
#Run
Start-SSHDTestDaemon -workDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port
$o = ssh -p $port -E $sshlog $ssouser@$server echo 1234
Stop-SSHDTestDaemon -Port $port
$o | Should Be "1234"
}
It "$tC.$tI-authorized_keys-negative(authorized_keys is owned by other admin user)" -skip:$skip { It "$tC.$tI-authorized_keys-negative(authorized_keys is owned by other admin user)" -skip:$skip {
#setup to have current user (admin user) as owner and grant it full control #setup to have current user (admin user) as owner and grant it full control
Repair-FilePermission -Filepath $authorizedkeyPath -Owner $currentUserSid -FullAccessNeeded $adminsSid,$systemSid -confirm:$false Repair-FilePermission -Filepath $authorizedkeyPath -Owner $currentUserSid -FullAccessNeeded $adminsSid,$systemSid -confirm:$false
@ -154,13 +169,13 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" {
$sshdlog | Should Contain "Authentication refused." $sshdlog | Should Contain "Authentication refused."
} }
It "$tC.$tI-authorized_keys-negative(other account can access private key file)" -skip:$skip { It "$tC.$tI-authorized_keys-negative(other account has modify permissions to authorized_keys file)" -skip:$skip {
#setup to have current user as owner and grant it full control #setup to have current user as owner and grant it full control
Repair-FilePermission -Filepath $authorizedkeyPath -Owner $objUserSid -FullAccessNeeded $adminsSid,$systemSid,$objUserSid -confirm:$false Repair-FilePermission -Filepath $authorizedkeyPath -Owner $objUserSid -FullAccessNeeded $adminsSid,$systemSid,$objUserSid -confirm:$false
#add $PwdUser to access the file authorized_keys #add $PwdUser to access the file authorized_keys
$objPwdUserSid = Get-UserSid -User $PwdUser $objPwdUserSid = Get-UserSid -User $PwdUser
Set-FilePermission -FilePath $authorizedkeyPath -User $objPwdUserSid -Perm "Read" Set-FilePermission -FilePath $authorizedkeyPath -User $objPwdUserSid -Perm "Modify"
#Run #Run
Start-SSHDTestDaemon -workDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port Start-SSHDTestDaemon -workDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port