Opened 7 years ago

Closed 7 years ago

#5320 closed defect (fixed)

ssh reports "bad ownership or modes for directory /home/olpc"

Reported by: MitchellNCharity Owned by: cscott
Priority: high Milestone: 8.2.0 (was Update.2)
Component: distro Version:
Keywords: rainbow-integration Cc: ffm, cscott, mstone
Blocked By: #5626 Blocking:
Deployments affected: Action Needed:
Verified: no

Description

Joyride 1366 (Dec 04).

Under qemu, ssh'ing in as olpc, using a key and a ~olpc/.ssh/authorized_keys, now fails with

Dec 4 15:57:09 localhost sshd[1492]: Authentication refused: bad ownership or modes for directory /home/olpc

in /var/log/secure.

root still works. olpc used to.

# ls -ld /home/olpc
drwxrwxr-x 9 olpc olpc 4096 Dec 4 15:57 /home/olpc

# ls -la /home/olpc/.ssh/
total 16
drwx------ 2 olpc olpc 4096 Dec 4 15:12 .
drwxrwxr-x 9 olpc olpc 4096 Dec 4 15:57 ..
-rw------- 1 olpc olpc 412 Dec 4 15:12 authorized_keys

Change History (19)

comment:1 Changed 7 years ago by cscott

  • Owner changed from jg to mstone

This is probably related to #4928.

comment:2 Changed 7 years ago by jg

  • Keywords rainbow-integration added
  • Milestone changed from Never Assigned to Update.1

comment:3 Changed 7 years ago by bernie

  • Resolution set to fixed
  • Status changed from new to closed

olpc-configure now takes care of this by resetting .ssh to 755 just after updating permissions in /home/olpc.

I didn't bother adding additional logic to retroactively fix .ssh's permissions on systems that were updated with interim joyride relases. I suppose whoever knows how to use ssh is also capable of figuring out how to fix this.

comment:4 Changed 7 years ago by MitchellNCharity

  • Resolution fixed deleted
  • Status changed from closed to reopened

Still broken in joyride 1387.

sshd appears to dislike /home/olpc being group writable.

# ssh fails
$ chmod g-w /home/olpc
# ssh works

comment:5 Changed 7 years ago by cscott

  • Owner changed from mstone to cscott
  • Status changed from reopened to new

From 'man sshd':

             If this file, the ~/.ssh directory, or the user's home directory
             are writable by other users, then the file could be modified or
             replaced by unauthorized users.  In this case, sshd will not
             allow it to be used unless the StrictModes option has been set to
             ``no''.  The recommended permissions can be set by executing
             ``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''.

I'd recommend setting StrictModes to 'no' in our sshd configuration. I guess I'll make that change in pilgrim.

comment:6 Changed 7 years ago by ffm

  • Cc ffm added

That would be a bad idea, as a rouge activity could add an arbitrary ssh key in .ssh/authorized_keys, thus allowing the laptop to be comprimised. And since user olpc will soon have sudo rights, a malicious user could comprimise root.

comment:7 Changed 7 years ago by ffm

We could just have it run chmod go-w ~olpc/ ~olpc/.ssh ~olpc/.ssh/authorized_keys on every boot, though.

comment:8 Changed 7 years ago by cscott

No, .ssh is not group-writable, /home/olpc is. I believe the issue is that an activity could rename the .ssh directory and create their own, since /home/olpc is writable by the group. I believe that setting the sticky bit on /home/olpc would solve the problem:

  When the sticky bit is set on a directory, a file in that directory may
  be unlinked or renamed only by the directory owner, the file owner,  or
  root.   Without  the  sticky bit, anyone able to write to the directory
  can delete or rename files.  The sticky bit is commonly found on direc-
  tories, such as /tmp, that are world-writable.

Michael, I don't know why it was necessary to make /home/olpc group-writable. Would setting the sticky bit break your use?

comment:9 Changed 7 years ago by cscott

Note to self: we also need to ensure PermitEmptyPasswords is set correctly; trac #5537.

comment:10 Changed 7 years ago by cscott

Works in joyride-1453.

comment:11 Changed 7 years ago by cscott

  • Owner changed from cscott to ApprovalForUpdate

This is a pilgrim patch; assign back to me after approval for commit to update.1 branch.

comment:12 Changed 7 years ago by jg

  • Owner changed from ApprovalForUpdate to dgilmore

comment:13 Changed 7 years ago by dgilmore

  • Cc cscott added

What is needed for pilgim?

comment:15 Changed 7 years ago by mstone

  • Cc mstone added

comment:16 Changed 7 years ago by mstone

I believe that this issue is fixed in joyride >= 1508 by bernie's and my olpc-utils work on #4928 and #5626.

comment:17 Changed 7 years ago by MitchellNCharity

Worked on joyride 1514.

comment:18 Changed 7 years ago by mstone

  • Blocked By 5626 added

comment:19 Changed 7 years ago by cscott

  • Resolution set to fixed
  • Status changed from new to closed

Closing ancient fixed bug. Yell if you see this again.

Note: See TracTickets for help on using tickets.