Ubuntu
scponly package

scponlyc has SUID not set

Bug #51085 reported by Tillmann Falck
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
scponly (Debian)
Fix Released
Unknown
scponly (Ubuntu)
Invalid
Low
Unassigned

Bug Description

The binary file (scponlyc) used for chrooted environments does not have the SUID bit enabled. This way nobody is able to login as the chroot cannot be performed with user privileges.

Installed package:
ii scponly 4.6-1 Restricts the commands available to scp- and sftp-users

Created a chrooted user with:
/usr/share/doc/scponly/setup_chroot/setup_chroot.sh.gz

---------- Messages in auth.log ----------------
Jun 27 09:21:03 vde sshd[16532]: Accepted password for USERXXX from XXX.XXX.XXX.XXX port 2475 ssh2 Jun 27 09:21:03 vde sshd[16534]: (pam_unix) session opened for user USERXXX by (uid=0) Jun 27 09:21:03 vde sshd[16534]: subsystem request for sftp Jun 27 09:21:03 vde scponly[16535]: chrooted binary in place, will chroot() Jun 27 09:21:03 vde scponly[16535]: 3 arguments in total. Jun 27 09:21:03 vde scponly[16535]: ^Iarg 0 is scponlyc Jun 27 09:21:03 vde scponly[16535]: ^Iarg 1 is -c Jun 27 09:21:03 vde scponly[16535]: ^Iarg 2 is /usr/lib/openssh/sftp-server Jun 27 09:21:03 vde scponly[16535]: opened log at LOG_AUTHPRIV, opts 0x00000029 Jun 27 09:21:03 vde scponly[16535]: retrieved home directory of "/home/USERXXX" for user "USERXXX" Jun 27 09:21:03 vde scponly[16535]: chrooting to dir: "/home/USERXXX" Jun 27 09:21:04 vde scponly[16535]: chroot: Operation not permitted Jun 27 09:21:04 vde scponly[16535]: couldn't chroot to /home/USERXXX [username: USERXXX(1003), IP/port: XXX.XXX.XXX.XXX 2475 22] Jun 27 09:21:04 vde sshd[16534]: (pam_unix) session closed for user USERXXX
-------------------------------------------

Solution
chmod u+s /usr/sbin/scponlyc

Tags: epicfail sftp ssh
Revision history for this message
Tillmann Falck (tfalck) wrote :

There is already an debconf question for file permissions that should be set on scponlyc. The problem is that it is not shown on installation (using defaults on (k)ubuntu). A dpkg-reconfigure scponly brings it up and solves the problem.

Please consider raising the importance of the corresponding debconf question (so that it is shown upon installation) as half of the package is unuseable without it.

Revision history for this message
Tero Karvinen (karvinen+launchpad) wrote :

I tested this and noticed the same bug. Why package scponlyc at all without the suid flag? I think it should be installed so that it works, with the SUID set.

Tested with Ubuntu 6.06.1 LTS, scponly 4.6-1.

Bug Watch Updater (bug-watch-updater)
Changed in scponly:
status: Unknown → Unconfirmed
Laurent Bigonville (bigon)
Changed in scponly:
importance: Undecided → Low
status: Unconfirmed → Confirmed
Revision history for this message
Albrecht Mühlenschulte (a7p) wrote :

I think the debconf-question importance should not be raised, and I am also against setting scponlyc suid by default. Imho there should be some information on this in /usr/share/doc/scponly ...

This problem is very easy to fix - there is just a decision needed how to handle this.

Revision history for this message
LimCore (limcore) wrote :

I also encountered this bug...

Best, ask user during installation of scponly about the SUID

While at it, asking user to confirm that he wants to RUN on BOOTUP the ssh server, would be also a nice thing to do for security/confirmation

Revision history for this message
Michael Heča (orgoj) wrote :

Same problem in 8.04.1, SUID is solution.

Revision history for this message
Kurt Huwig (k-huwig) wrote :

This bug does still exist in Intrepid.

Revision history for this message
LimCore (limcore) wrote :

This bug still exists, apparently 2.5 years is not enough time to chmod one file in Ubuntu.

This is an epicfail in security, as we lack 5 minutes of work to fix bug that makes an application useless (or at least far more secure - only non-chroot mode).

This is a security bug, as (without workaround) users are forced to allow system wide view access to SCP users.

Revision history for this message
LimCore (limcore) wrote :

Please set urgency to high and mark as security problem.

Revision history for this message
aivarotsing (aivar-mailer) wrote :

The bug is still there. Scponly is unusable by default in Debian Etch 32-bit 2.6.18-6 (updated today) before suid bit. Hours to fix, minutes to decide as unusable package. Scponly gives big value to Linux server or workstation box and there are only very very few acceptable ways to use it without chroot. I see only root may use it... But what purpose? Total points given to package implementation: 0, none, nicht, (), [], zero, {}...
This may be also security risk - people like me, half-linuxmen, they may risk to expose computer to people/world using for fast problem resolution scponly when scponlyc doesn't work... and forgetting or not thinking about cd / possibility. Today big amount of hacking has made by scripts/programs, so if there is login available, they (robot, not they) send a script to test which folders are with write and execute permissions available. One half-stupid decision and you may be a terrorist :/
Debian is today better than ever, lets take some steps more! Moving ass is sometimes simpler than mind but lets try! The mind!

Revision history for this message
x127 (hq-ks) wrote :

I agree with the previous posters.

I have currently 29 suid binaries installed, including stuff like pulseaudio. I was asked for exactly zero of these if I would want them suid during installation.

Barring serious security holes in scponlyc, I think shipping it broken will decrease overall user security.

Furthermore, I came across this bug by chance. It did not even occur to me that my shiny new Ubuntu might ship packages broken by default, so I tried figuring out my mistake. The time saved for the scponly users by not asking them about scponlyc is more than offset by the time spend by would-be scponlyc users trying to debug their setup.

If you totally must ship scponly broken without asking the user (who btw specifically wanted that package. It is not like there are many packages which depend on scponly), please at least change the manpage to reflect that.

I did not even find it mentioned in the documentation. Just add a "Due to security concerns, scponlyc is broken by default in Debian and Ubuntu. To use it run chmod u+s /usr/sbin/scponlyc." to the manpage. If it was documented behaviour, I doubt anyone here would be enraged by this bug.

I should not have to visit the upstream site of a package to learn about problems of said package in my distribution.

Then again, it would be probably more useful to complain about this bug to the Debian developers.

Bug Watch Updater (bug-watch-updater)
Changed in scponly (Debian):
status: New → Fix Released
Revision history for this message
Phillip Susi (psusi) wrote :

This package has been removed from Ubuntu. Closing all related bugs.

Changed in scponly (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.