It was suggested to me that I forward this message to you.
---------- Forwarded Message ----------
Subject: privsep in ssh
Date: Fri, 19 Sep 2003 12:22
From: Russell Coker <russell at coker.com.au>
To: SE Linux <selinux at tycho.nsa.gov>
Cc: Colin Watson <cjwatson at debian.org>
#ifdef DISABLE_FD_PASSING
if (1) {
#else
if (authctxt->pw->pw_uid == 0 || options.use_login) {
#endif
/* File descriptor passing is broken or root login */
monitor_apply_keystate(pmonitor);
use_privsep = 0;
return;
}
When browsing the ssh source I noticed the above in sshd.c. It appears from
a casual inspection that we should change this and remove the check for
pw_uid == 0. Logging in as root in SE Linux does not mean that we have full
administrative privs, so I think that we should have privsep enabled all the
time.
I have compiled a sshd with privsep for root logins and it seems to work
fine.
I have attached the patch against ssh 3.6.1p2, I expect that the same thing
would be necessary in 3.7.1 and the same patch probably applies (but I
haven't checked).
I believe that this patch is worthy of inclusion in the standard distribution
of ssh. The only drawback is that it uses a small amount of extra CPU power
for root logins, and on systems such as SE Linux it provides security
benefits.
Anyone who wants to use the SE Linux PAM module for sshd probably wants this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 381 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030922/c1a58cda/attachment.bin