[Bug]: (openssh) unable to ssh to remote system if config files are stored in $PREFIX/etc/ssh/ssh_config.d

[jroovy]

Problem description

Trying to ssh into a system as a root user will spawn this error: Bad owner or permissions on /data/data/com.termux/files/usr/etc/ssh/ssh_config.d/custom.conf This is especially a problem when trying to mount a remote sshfs, which requires root permissions

What steps will reproduce the bug?

1. Place ssh config files in $PREFIX/etc/ssh/ssh_config.d
2. Switch to root user with tsu
3. Attempt login to a remote system
4. Operation will fail with Bad owner or permissions on /data/data/com.termux/files/usr/etc/ssh/ssh_config.d/custom.conf

What is the expected behavior?

Should be able to login to remote system without any issues.

System information

Termux Variables:
TERMUX_APK_RELEASE=GITHUB
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=23697
TERMUX_IS_DEBUGGABLE_BUILD=1
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.1
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://packages-cf.termux.dev/apt/termux-main stable main
# root-repo (sources.list.d/root.list)
deb https://packages-cf.termux.dev/apt/termux-root root stable
# x11-repo (sources.list.d/x11.list)
deb https://packages-cf.termux.dev/apt/termux-x11 x11 main
Updatable packages:
7zip/stable 24.08 aarch64 [upgradable from: 24.08]
git/stable 2.46.2 aarch64 [upgradable from: 2.46.1]
harfbuzz/stable 10.0.1 aarch64 [upgradable from: 9.0.0]
termux-tools version:
1.43.5
Android version:
14
Kernel build information:
Linux localhost 4.14.352-perf-g70ee16ac6831 #1 SMP PREEMPT Sun Sep 22 13:31:47 EEST 2024 aarch64 Android
Device manufacturer:
Xiaomi
Device model:
M2102J20SG
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so

[agnostic-apollo]

You likely need to run chown -R root:root "$PREFIX/etc/ssh" if running sshd as root. This obviously will have the implication that you will need to wipe $PREFIX manually with root if ever needed (like termux-reset), as termux app/user owned processes will not be able to do it, and possibly openssh package updates will fail as well and ownership will need to be restored first.

[jroovy]

I see....I'll make a bash script that does this for me

[agnostic-apollo]

Might wanna test it first ;)

Running ssh as root at least requires ~/.ssh to be owned by root user.

[jroovy]

Might wanna test it first ;)

Running ssh as root at least requires ~/.ssh to be owned by root user.

Does it? I was able to run ssh as root without changing ownership of ~/.ssh

[jroovy]

Here's my script for running ssh as root:

#!/data/data/com.termux/files/usr/bin/sh
user=$(whoami)

if [ $user = root ]; then
    printf '%s\n' 'This script <should not> be run as root.'
    exit
fi

sudo chown -R root:root "$PREFIX/etc/ssh"
sudo ssh "$@"
sudo chown -R $user:$user "$PREFIX/etc/ssh"

[jroovy]

I'll have to edit the script further for sshfs EDIT: maybe not, since sshfs runs in the background and the permissions get reverted after sshfs has been executed EDIT 2: replace sudo ssh "$@" with sudo sshfs "$@" and it should also work for sshfs

[agnostic-apollo]

Does it? I was able to run ssh as root without changing ownership of ~/.ssh

It's the ownership of ~/.ssh/config that matters, you have likely not created it.

if [ $user = root ]; then exit

If you exit if root, then how do you expect to change ownership with chown to root, which itself also doesn't make sense in that case.

[jroovy]

If you exit if root, then how do you expect to change ownership with chown to root, which itself also doesn't make sense in that case.

with sudo The user=$(whoami) stores the uid of the non-root user. So if the script is run with root then $user will not have the uid of the non-root user.

It's the ownership of ~/.ssh/config that matters, you have likely not created it.

I see. Yes, I don't have a config file in the ~/.ssh folder.

[agnostic-apollo]

whoami prints the current effective user id, which will be root if running under sudo and not some non-root user.

If you want to prevent nested running of script if already root, then use something like this.

#!/data/data/com.termux/files/usr/bin/bash

if [[ $EUID -ne 0 ]]; then
    exec sudo bash "$0" "$@"
fi

ssh...

[sylirre]

9.9p1-4 will ignore ownership of configuration files, so chown won't be needed anymore.

However world-writeable permissions (e.g. default permissions with umask 0000) still trigger the error. That should be expected.

[jroovy]

whoami prints the current effective user id, which will be root if running under sudo and not some non-root user.

If you want to prevent nested running of script if already root, then use something like this.

#!/data/data/com.termux/files/usr/bin/bash

if [[ $EUID -ne 0 ]]; then
    exec sudo bash "$0" "$@"
fi

ssh...

I think you meant the $USER variable. $user (lowercase) is a completely different variable.

~ $ user=$(whoami)
~ $ echo $user
u0_a491
~ $ sudo echo $user
u0_a491

EDIT: sorry, I misunderstood your comment

9.9p1-4 will ignore ownership of configuration files, so chown won't be needed anymore.

I can confirm its fixed :+1: