Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162951 - ssh fails if uid == 0 and gid != 0
Summary: ssh fails if uid == 0 and gid != 0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-11 19:56 UTC by Charlie Brady
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2005:527
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-24 07:33:31 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Charlie Brady 2005-07-11 19:56:30 UTC
Description of problem:

ssh fails if it is executed when uid is root and gid is non-root:

[root@test7 ~]# newgrp admin
[root@test7 ~]# id
uid=0(root) gid=101(admin)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@test7 ~]# ssh localhost
permanently_set_uid: was able to restore old [e]gid
[root@test7 ~]#

Version-Release number of selected component (if applicable):

[root@test7 ~]# rpm -q openssh
openssh-3.9p1-8.RHEL4.4
[root@test7 ~]#

How reproducible:

100%

Additional info:

This is fixed in openssh-4.1. This patch should fix it:

--- uidswap.c.orig      Mon Jul 11 15:31:49 2005
+++ uidswap.c   Mon Jul 11 15:33:52 2005
@@ -200,8 +200,8 @@
                fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
 #endif
  
-       /* Try restoration of GID if changed (test clearing of saved gid) */
-       if (old_gid != pw->pw_gid &&
+       /* Try restoration of GID if changed and running non-root (test clearing
of saved gid) */
+       if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
            (setgid(old_gid) != -1 || setegid(old_gid) != -1))
                fatal("%s: was able to restore old [e]gid", __func__);

Comment 1 Charlie Brady 2005-07-11 20:01:43 UTC
> This patch should fix it:

Yep, it does.

Comment 2 Tomas Mraz 2005-07-11 20:55:45 UTC
Known bug. Fix is already accepted.


Comment 3 Charlie Brady 2005-07-11 20:59:58 UTC
> Known bug.

If it's known, please provide a reference. The bug seems to be unknown to RH's
bugzilla.

Comment 4 Tomas Mraz 2005-07-11 21:21:34 UTC
It was reported internally so the bug report isn't visible.

I'm sorry if you took my answer as discouraging you from reporting the bug - it
wasn't meant so. I just wanted to state that the fix is already in works.


Comment 5 Charlie Brady 2005-07-11 21:25:34 UTC
> I just wanted to state that the fix is already in works.

Cool.

I'm curious as to why your internal bug reports (when not security sensite, at
least) aren't visible in Bugzilla.



Comment 6 Charlie Brady 2005-11-01 20:53:47 UTC
FTR, the fix is here:

...
* Wed Apr 20 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-8.RHEL4.5

- don't deadlock on exit with multiple X forwarded channels (#152432)
- allow ssh-ing from root account with nondefault group (#155220)

...


Note You need to log in before you can comment on or make changes to this bug.