From owner-freebsd-stable@FreeBSD.ORG Tue Jun 25 01:03:06 2013 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 64FD55A9 for ; Tue, 25 Jun 2013 01:03:06 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 280251972 for ; Tue, 25 Jun 2013 01:03:05 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 931D428427; Tue, 25 Jun 2013 03:03:04 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6414428423; Tue, 25 Jun 2013 03:03:03 +0200 (CEST) Message-ID: <51C8EC48.1000807@quip.cz> Date: Tue, 25 Jun 2013 03:03:04 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jeremy Chadwick Subject: Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) References: <51C4DBFE.1010809@quip.cz> <51C4F5D4.6000802@delphij.net> <51C8C400.7080009@quip.cz> <51C8C9E8.9050507@delphij.net> <20130624225034.GA8873@icarus.home.lan> In-Reply-To: <20130624225034.GA8873@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@FreeBSD.org, d@delphij.net X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 01:03:06 -0000 Jeremy Chadwick wrote: > On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> On 06/24/13 15:11, Miroslav Lachman wrote: >> [...] >>> The patch seems really simple and I know how to apply it, but I am >>> not able to compile and install only fixed sftp command instead of >>> the whole userland. Can you push me to the right direction? >> >> I think you can go to /usr/src/secure/usr.bin/sftp and do: >> >> make depend >> make >> >> Then, as root: >> >> make install Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp I tried your patch and can confirm it works for me! >> I usually do a full world build to make sure that this doesn't break >> something else but this change should only affect sftp(1). > > I'm going to make this real simple: > > Is the problem with symlinks in the client (sftp(1)), in the server > (sftp-server(8)), or both? The impression I get from the original post > that started this thread is that it's in the server part. No, it is the problem on the client side. The server side in all cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp client is broken and this bug is really fixed by patch provided by Xin Li. We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) > So, I believe he'd want to poke about in src/secure/libexec/sftp-server. > However, that may not be enough, due to the fact that sftp-server(8) > depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do > not know where the actual broken code lies. > > Someone on -security might know exactly what all needs to be built/what > commands need to be run, but I will tell you this up front: > > The official security announcements for SSL or SSH-related things have > historically told people to build world. I went and read the mailing > list archives for -security-announcements and found proof/examples of > this fact when issues pertain to SSL or SSH. > > My recommendation is just to build world. Don't risk it -- this is a > key piece of your system, all you're trying to do is save some time. > Don't. Just build/install world and don't screw around. I understand your concern and I will rebuild world if the patch changes anything in the server part, but this is realy just a fix in sftp client command and I want to try it quickly and to have a quick path to go back to original version of the sftp command. This is on testing machine anyway, I will not do this on production machines. Miroslav Lachman