From owner-freebsd-stable@FreeBSD.ORG Fri Jun 21 23:04:46 2013 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 5E957381 for ; Fri, 21 Jun 2013 23:04:46 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 225D61E10 for ; Fri, 21 Jun 2013 23:04:45 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5BA7628427 for ; Sat, 22 Jun 2013 01:04:32 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 01C7E28426 for ; Sat, 22 Jun 2013 01:04:30 +0200 (CEST) Message-ID: <51C4DBFE.1010809@quip.cz> Date: Sat, 22 Jun 2013 01:04:30 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: freebsd-stable@FreeBSD.org Subject: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jun 2013 23:04:46 -0000 Beside my previous complaint about sshd not starting after upgrade from FreeBSD 8.3 to 8.4 due to incompatible change in parsing sshd_config with empty VersionAddendum [1], there is another more serious bug in newly imported SSH in base (OpenSSH_6.1p1) which I am not able to fix / workaround. In short: OpenSSH 6.1 is creating broken symlinks with sftp command on OpenSSH 5.4 server with chrooted account. It will always creates symlinks with pseudo absolute path instead of relative. SSH server (OpenSSH 5.4 on FreeBSD 8.3) is configured with the following settings for chrooting: Match User devel ChrootDirectory /usr/home ForceCommand internal-sftp And again, it was working fine with older version of FreeBSD / OpenSSH 5.4 client (sftp command). It is working with WinSCP too. The sftp command used for creating the symlink is: symlink temp temp_symlink Expected result shown by ls -l /usr/home/devel on server side is: temp_symlink -> temp Broken links by OpenSSH 6.1 client: temp_symlink -> /devel/temp So the symlink is not working outside of the sftp chrooted session (for example, Apache cannot read files from symlinked directory because only user "devel" is chrooted) I tried to enable DEBUG logging in sshd_config on the server side with following results: Expected behavior with OpenSSH 5.4 as sftp client subsystem request for sftp session opened for local user devel from [y.y.y.y] received client version 3 realpath "." symlink old "temp" new "/usr/home/devel/temp_symlink" sent status Success session closed for local user devel from [y.y.y.y] Broken behavior with OpenSSH 6.1 as sftp client subsystem request for sftp session opened for local user devel from [x.x.x.x] received client version 3 realpath "." opendir "/usr/home/devel" sent status End of file closedir "/usr/home/devel" sent status Success symlink old "/usr/home/devel/temp" new "/usr/home/devel/temp_symlink" sent status Success In both cases the sftp command is executed from simplified shellscript simulating much larger script for our application deployment: echo "symlink temp temp_symlink quit " | sftp devel@x.x.x.x The above debug output is the same with sftp-server and internal-sftp (in sshd_config). It does not matter if user account is chrooted or not - sftp command always creates symlink with an absolute path (with OpenSSH 6.1). With OpenSSH 5.4 client, it will create relative path symlinks as expected. So my questions are: 1) Is there some way to create relative symlinks with OpenSSH 6.1? 2) Was OpenSSH 6.1 tested before importing in to the base of FreeBSD 8.4 release? These two bugs seems serious to me. 3) Is there any chance to fix these bugs in FreeBSD repository, or do we need to be "bug to bug" compatible with other systems using OpenSSH 6.x? Miroslav Lachman [1] sshd didn't run after upgrade to FreeBSD 8.4 http://lists.freebsd.org/pipermail/freebsd-stable/2013-June/073898.html