View Issue Details

IDProjectCategoryView StatusLast Update
0014291CentOS-7opensshpublic2017-12-19 14:15
Reportersuperseb 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014291: Backport fix for regression introduced in OpenSSH 7.4 regarding root user and socket forwarding
DescriptionIn OpenSSH 7.4 there was a fix for refusing Unix-domain socket forwarding when privilege separation is disabled, but because privsep is always disabled for the root user, this broke socket forwarding for root. Would be nice to backport this fix in your 7.4 package.

Steps To Reproduce- Boot CentOS 7.4 machine
# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# rpm -qi openssh-server
Name : openssh-server
Version : 7.4p1
Release : 13.el7_4
- Try to forward a socket over SSH and access it
ssh -nNT -L /tmp/docker.sock:/var/run/docker.sock root@IP
channel 1: open failed: administratively prohibited: open failed
channel 1: open failed: administratively prohibited: open failed
Additional InformationIn the OpenSSH 7.4 release notes (more info on https://bugs.chromium.org/p/project-zero/issues/detail?id=1010)

 * sshd(8): When privilege separation is disabled, forwarded Unix-
   domain sockets would be created by sshd(8) with the privileges of
   'root' instead of the authenticated user. This release refuses
   Unix-domain socket forwarding when privilege separation is disabled
   (Privilege separation has been enabled by default for 14 years).
   Reported by Jann Horn of Project Zero.

In OpenSSH 7.5 release notes:

 * sshd(8): Fix Unix domain socket forwarding for root (regression in
   OpenSSH 7.4).

More info here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858252;msg=9

Tagsopenssh
abrt_hash
URL

Activities

TrevorH

TrevorH

2017-12-19 13:57

manager   ~0030785

Because of the way CentOS works (it's a direct rebuild of RHEL), you'll need to get this included in RHEL 7 and then CentOS will pick it up automatically once it's released.
superseb

superseb

2017-12-19 14:15

reporter   ~0030786

Thanks for the quick reply TrevorH, created https://bugzilla.redhat.com/show_bug.cgi?id=1527565

Issue History

Date Modified Username Field Change
2017-12-19 13:54 superseb New Issue
2017-12-19 13:54 superseb Tag Attached: openssh
2017-12-19 13:57 TrevorH Note Added: 0030785
2017-12-19 14:15 superseb Note Added: 0030786