[Bug 1222716] New: libssh tries to read config from wrong crypto-policies location
https://bugzilla.suse.com/show_bug.cgi?id=1222716 Bug ID: 1222716 Summary: libssh tries to read config from wrong crypto-policies location Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: pmonrealgonzalez@suse.com Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- libssh-config ships /etc/libssh/libssh_server.config which contains # Parse system-wide crypto configuration file Include /usr/etc/crypto-policies/back-ends/libssh.config But there is no such file. It's supposed to be /etc/crypto-policies/back-ends/libssh.config Probably caused by the fix for bug 1211718. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c1 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmonrealgonzalez@suse.com --- Comment #1 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Right, the libssh.config location for CP should not be changed. I'll amend that in a moment. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c2 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Factory submission: https://build.opensuse.org/request/show/1167009 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c3 --- Comment #3 from Fabian Vogt <fvogt@suse.com> --- (In reply to Pedro Monreal Gonzalez from comment #2)
Factory submission: https://build.opensuse.org/request/show/1167009
FWICT the logic for this is wrong: If /etc/ssh/ssh_config exists, that file is read. If not, /usr/etc/ssh/ssh_config is read. Currently libssh only reads the latter, so user configuration may get ignored. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c4 --- Comment #4 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Right, the usretc change was not done correctly in TW. I think GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to %{_sysconfdir} and in the config files both %{_sysconfdir} and %{_distconfdir} should be Included, right? So, I think the sed command:
%if 0%{?suse_version} > 1600 sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config %endif
should be substituted by:
%if 0%{?suse_version} > 1600 install -d -m755 %{buildroot}%{_distconfdir}/libssh/ mv %{buildroot}%{_sysconfdir}/libssh/libssh_client.config %{buildroot}%{_distconfdir}/libssh/ mv %{buildroot}%{_sysconfdir}/libssh/libssh_server.config %{buildroot}%{_distconfdir}/libssh/ echo "Include /usr/etc/ssh/ssh_config" >> %{buildroot}%{_distconfdir}/libssh/libssh_client.config %endif
I get an rpmlint complaint about non-etc-or-var-file-marked-as-conffile warning. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c5 --- Comment #5 from Fabian Vogt <fvogt@suse.com> --- (In reply to Pedro Monreal Gonzalez from comment #4)
Right, the usretc change was not done correctly in TW. I think GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to %{_sysconfdir} and in the config files both %{_sysconfdir} and %{_distconfdir} should be Included, right?
It's a bit more complex than that unfortunately. According to https://en.opensuse.org/openSUSE:Packaging_UsrEtc, packages must not ship files in /etc, neither upstream nor distro ones. If distro config is necessary, the file is put somewhere into /usr/etc, /usr/share, /usr/lib (according to preference) and only read if there is no user configuration in /etc. For libssh this means that it needs a code change to read /etc/libssh/libssh_{client,server}.config first and if that doesn't exist, /usr/etc/libssh/libssh_{client,server}.config. Such a patch would probably get accepted upstream, /usr/lib is the most commonly used location. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |openssl-maintainers@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 Lucas Mulling <lucas.mulling@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas.mulling@suse.com Assignee|pmonrealgonzalez@suse.com |lucas.mulling@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c6 --- Comment #6 from Lucas Mulling <lucas.mulling@suse.com> --- Created attachment 880436 --> https://bugzilla.suse.com/attachment.cgi?id=880436&action=edit Add option WITH_USRETC enabling hermetic-usr Hello, Patch to allow libssh to load global config files from %{_distconfdir}/libssh/* if ${_sysconfdir}/libssh/* is not present. Tested with sshping. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c7 Lucas Mulling <lucas.mulling@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #880436|0 |1 is obsolete| | --- Comment #7 from Lucas Mulling <lucas.mulling@suse.com> --- Created attachment 880506 --> https://bugzilla.suse.com/attachment.cgi?id=880506&action=edit Add option WITH_HERMETIC_USR Hello, Updated patch with an approach that is portable. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c8 --- Comment #8 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Hello, @Favian Vogt. Here the submission that Lucas has prepared for Factory: * https://build.opensuse.org/request/show/1247452 Could you please review it before we submit the fix upstream? TIA -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c9 --- Comment #9 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Factory submission: * https://build.opensuse.org/request/show/1247452 PR accepted upstream, see: * https://gitlab.com/libssh/libssh-mirror/-/merge_requests/574 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222716 https://bugzilla.suse.com/show_bug.cgi?id=1222716#c11 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #11 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Closing as the PR has been accepted upstream and released in Factory. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com