Multiplay Labs

tech hits and tips from Multiplay

Archive for September 27th, 2013

sftp-server umask not working under older versions

without comments

Older versions of openssh’s sftp-server, such as the version shipped in 8.3-RELEASE, includes a bug which means the command line option for umask is not processed correctly.

This can be used to support chroot’ed sftp only as done via the following block in

/etc/ssh/sshd_config
Subsystem   sftp    internal-sftp
Match group chroot
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -u 0477

The following patch fixes this issue:

--- crypto/openssh/sftp-server.c.orig	2013-09-27 15:10:32.089496594 +0000
+++ crypto/openssh/sftp-server.c	2013-09-27 15:12:06.128649706 +0000
@@ -1378,7 +1378,7 @@ sftp_server_main(int argc, char **argv, 
 	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
 	char *cp, buf[4*4096];
 	const char *errmsg;
-	mode_t mask;
+	long mask;
 
 	extern char *optarg;
 	extern char *__progname;
@@ -1412,11 +1412,11 @@ sftp_server_main(int argc, char **argv, 
 				error("Invalid log facility \"%s\"", optarg);
 			break;
 		case 'u':
-			mask = (mode_t)strtonum(optarg, 0, 0777, &errmsg);
-			if (errmsg != NULL)
-				fatal("Invalid umask \"%s\": %s",
-				    optarg, errmsg);
-			(void)umask(mask);
+			mask = strtol(optarg, &cp, 8);
+			if (mask < 0 || mask > 0777 || *cp != '\0' ||
+			    cp == optarg || (mask == 0 && errno != 0))
+				fatal("Invalid umask \"%s\"", optarg);
+			(void)umask((mode_t)mask);
 			break;
 		case 'h':
 		default:

Written by Dilbert

September 27th, 2013 at 3:41 pm

Posted in Code,FreeBSD