Date: Mon, 24 Jun 2013 18:13:09 -0700 From: Jeremy Chadwick <jdc@koitsu.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-stable@FreeBSD.org, d@delphij.net Subject: Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) Message-ID: <20130625011308.GA10736@icarus.home.lan> In-Reply-To: <51C8EC48.1000807@quip.cz> References: <51C4DBFE.1010809@quip.cz> <51C4F5D4.6000802@delphij.net> <51C8C400.7080009@quip.cz> <51C8C9E8.9050507@delphij.net> <20130624225034.GA8873@icarus.home.lan> <51C8EC48.1000807@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 25, 2013 at 03:03:04AM +0200, Miroslav Lachman wrote: > Jeremy Chadwick wrote: > >On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA512 > >> > >>On 06/24/13 15:11, Miroslav Lachman wrote: > >>[...] > >>>The patch seems really simple and I know how to apply it, but I am > >>>not able to compile and install only fixed sftp command instead of > >>>the whole userland. Can you push me to the right direction? > >> > >>I think you can go to /usr/src/secure/usr.bin/sftp and do: > >> > >>make depend > >>make > >> > >>Then, as root: > >> > >>make install > > Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp > > I tried your patch and can confirm it works for me! > > >>I usually do a full world build to make sure that this doesn't break > >>something else but this change should only affect sftp(1). > > > >I'm going to make this real simple: > > > >Is the problem with symlinks in the client (sftp(1)), in the server > >(sftp-server(8)), or both? The impression I get from the original post > >that started this thread is that it's in the server part. > > No, it is the problem on the client side. The server side in all > cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp > client is broken and this bug is really fixed by patch provided by > Xin Li. > > We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. > The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) > > >So, I believe he'd want to poke about in src/secure/libexec/sftp-server. > >However, that may not be enough, due to the fact that sftp-server(8) > >depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do > >not know where the actual broken code lies. > > > >Someone on -security might know exactly what all needs to be built/what > >commands need to be run, but I will tell you this up front: > > > >The official security announcements for SSL or SSH-related things have > >historically told people to build world. I went and read the mailing > >list archives for -security-announcements and found proof/examples of > >this fact when issues pertain to SSL or SSH. > > > >My recommendation is just to build world. Don't risk it -- this is a > >key piece of your system, all you're trying to do is save some time. > >Don't. Just build/install world and don't screw around. > > I understand your concern and I will rebuild world if the patch > changes anything in the server part, but this is realy just a fix in > sftp client command and I want to try it quickly and to have a quick > path to go back to original version of the sftp command. > > This is on testing machine anyway, I will not do this on production > machines. Understood -- it was my misunderstanding of the issue (being on the client side, not server side), so Xin's advice is sound. Sorry for the noise on my part. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130625011308.GA10736>