-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
This may or may not be a bug. However, it is DEFINITELY NOT how I would
expect and want to see sshd work!
If you run lsof against sshd on a privilege separated user, it shows
that sshd's CWD is /. I would hope that the CWD would be at a minimum
/var/empty/sshd and I would really have thought it would be something
along the lines of /var/empty/sshd/USER. (In fact, lsof does not show
any references to /var/empty... which I assume means that it is only
referenced during startup??)
I also noticed that the listener sshd also has / as its CWD. I would
have thought that it would have had ~root or /var/run as its CWD to
prevent core files from being left in / where it may be possible for
someone to find and pursue those files.
Tech details of this issue follow signature paragraph.
TIA for at least thinking about this!
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com
s: JonRKibler
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: yes
SELinux support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: no
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
- -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset
- -fstack-protector-all -std=gnu99
Preprocessor flags:
Linker flags: -fstack-protector-all
Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
- -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
+for sshd: -lwrap -lpam -ldl -lselinux
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
==============root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj
[priv]
kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2
root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd
==============> lsof -p 23936> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> sshd 23936 root cwd DIR 9,1 4096 2 /
> sshd 23936 root rtd DIR 9,1 4096 2 /
> sshd 23936 root txt REG 253,6 447744 1081352 /usr/local/sbin/sshd
(deleted)
> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so
> sshd 23936 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so
> sshd 23936 root mem REG 9,1 37368 65723
/lib64/libwrap.so.0.7.6
> sshd 23936 root mem REG 253,5 85608 1050003
/usr/lib64/libz.so.1.2.3
> sshd 23936 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1
> sshd 23936 root mem REG 9,1 95464 65888
/lib64/libselinux.so.1
> sshd 23936 root mem REG 9,1 48600 65885
/lib64/libcrypt-2.5.so
> sshd 23936 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so
> sshd 23936 root mem REG 9,1 46800 65890
/lib64/libpam.so.0.81.5
> sshd 23936 root mem REG 9,1 9472 65857
/lib64/libkeyutils-1.2.so
> sshd 23936 root mem REG 9,1 1366208 65895
/lib64/libcrypto.so.0.9.8e
> sshd 23936 root mem REG 9,1 10000 65894
/lib64/libcom_err.so.2.1
> sshd 23936 root mem REG 9,1 92736 65603
/lib64/libresolv-2.5.so
> sshd 23936 root mem REG 253,5 153624 1050086
/usr/lib64/libk5crypto.so.3.1
> sshd 23936 root mem REG 253,5 35728 1050085
/usr/lib64/libkrb5support.so.0.1
> sshd 23936 root mem REG 253,5 613896 1050087
/usr/lib64/libkrb5.so.3.3
> sshd 23936 root mem REG 253,5 190976 1050089
/usr/lib64/libgssapi_krb5.so.2.2
> sshd 23936 root mem REG 9,1 18152 65886
/lib64/libutil-2.5.so
> sshd 23936 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so
> sshd 23936 root mem REG 9,1 107112 65889
/lib64/libaudit.so.0.0.0
> sshd 23936 root mem REG 9,1 53880 65588
/lib64/libnss_files-2.5.so
> sshd 23936 root 0u CHR 1,3 1908 /dev/null
> sshd 23936 root 1u CHR 1,3 1908 /dev/null
> sshd 23936 root 2u CHR 1,3 1908 /dev/null
> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN)
==============> lsof -p 3100> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> sshd 3100 root cwd DIR 9,1 4096 2 /
> sshd 3100 root rtd DIR 9,1 4096 2 /
> sshd 3100 root txt REG 253,6 447744 1081353
/usr/local/sbin/sshd (deleted)
> sshd 3100 root mem REG 9,1 139416 65572
/lib64/ld-2.5.so
> sshd 3100 root mem REG 9,1 1717800 65573
/lib64/libc-2.5.so
> sshd 3100 root mem REG 9,1 37368 65723
/lib64/libwrap.so.0.7.6
> sshd 3100 root mem REG 253,5 85608 1050003
/usr/lib64/libz.so.1.2.3
> sshd 3100 root mem REG 9,1 247496 65887
/lib64/libsepol.so.1
> sshd 3100 root mem REG 9,1 95464 65888
/lib64/libselinux.so.1
> sshd 3100 root mem REG 9,1 48600 65885
/lib64/libcrypt-2.5.so
> sshd 3100 root mem REG 9,1 114352 65884
/lib64/libnsl-2.5.so
> sshd 3100 root mem REG 9,1 46800 65890
/lib64/libpam.so.0.81.5
> sshd 3100 root mem REG 9,1 9472 65857
/lib64/libkeyutils-1.2.so
> sshd 3100 root mem REG 9,1 1366208 65895
/lib64/libcrypto.so.0.9.8e
> sshd 3100 root mem REG 9,1 10000 65894
/lib64/libcom_err.so.2.1
> sshd 3100 root mem REG 9,1 92736 65603
/lib64/libresolv-2.5.so
> sshd 3100 root mem REG 253,5 153624 1050086
/usr/lib64/libk5crypto.so.3.1
> sshd 3100 root mem REG 253,5 35728 1050085
/usr/lib64/libkrb5support.so.0.1
> sshd 3100 root mem REG 253,5 613896 1050087
/usr/lib64/libkrb5.so.3.3
> sshd 3100 root mem REG 253,5 190976 1050089
/usr/lib64/libgssapi_krb5.so.2.2
> sshd 3100 root mem REG 9,1 18152 65886
/lib64/libutil-2.5.so
> sshd 3100 root mem REG 9,1 23360 65880
/lib64/libdl-2.5.so
> sshd 3100 root mem REG 9,1 107112 65889
/lib64/libaudit.so.0.0.0
> sshd 3100 root mem REG 9,1 53880 65588
/lib64/libnss_files-2.5.so
> sshd 3100 root DEL REG 0,9 3642343 /dev/zero
> sshd 3100 root mem REG 9,1 23736 65586
/lib64/libnss_dns-2.5.so
> sshd 3100 root mem REG 9,1 11176 65864
/lib64/security/pam_tally.so
> sshd 3100 root mem REG 9,1 11504 65760
/lib64/security/pam_env.so
> sshd 3100 root mem REG 9,1 48824 65797
/lib64/security/pam_unix.so
> sshd 3100 root mem REG 253,5 40896 1049703
/usr/lib64/libcrack.so.2.8.0
> sshd 3100 root mem REG 9,1 12272 65790
/lib64/security/pam_succeed_if.so
> sshd 3100 root mem REG 9,1 4040 65758
/lib64/security/pam_deny.so
> sshd 3100 root mem REG 9,1 5648 65778
/lib64/security/pam_nologin.so
> sshd 3100 root mem REG 9,1 4416 65779
/lib64/security/pam_permit.so
> sshd 3100 root mem REG 9,1 12928 65756
/lib64/security/pam_cracklib.so
> sshd 3100 root mem REG 9,1 15152 65786
/lib64/security/pam_selinux.so
> sshd 3100 root mem REG 9,1 6808 65768
/lib64/security/pam_keyinit.so
> sshd 3100 root mem REG 9,1 15048 65770
/lib64/security/pam_limits.so
> sshd 3100 root mem REG 9,1 6584 65773
/lib64/security/pam_loginuid.so
> sshd 3100 root mem REG 9,1 5080 65803
/lib64/security/pam_warn.so
> sshd 3100 root DEL REG 0,9 3642362 /dev/zero
> sshd 3100 root 0u CHR 1,3 1908 /dev/null
> sshd 3100 root 1u CHR 1,3 1908 /dev/null
> sshd 3100 root 2u CHR 1,3 1908 /dev/null
> sshd 3100 root 3u IPv4 3642329 TCP
FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket
> sshd 3100 root 5u CHR 5,2 778 /dev/ptmx
> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket
==============> lsof -p 3102> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> sshd 3102 kiblerj cwd DIR 9,1 4096 2 /
> sshd 3102 kiblerj rtd DIR 9,1 4096 2 /
> sshd 3102 kiblerj txt REG 253,6 447744 1081353
/usr/local/sbin/sshd (deleted)
> sshd 3102 kiblerj mem REG 9,1 139416 65572
/lib64/ld-2.5.so
> sshd 3102 kiblerj mem REG 9,1 1717800 65573
/lib64/libc-2.5.so
> sshd 3102 kiblerj mem REG 9,1 37368 65723
/lib64/libwrap.so.0.7.6
> sshd 3102 kiblerj mem REG 253,5 85608 1050003
/usr/lib64/libz.so.1.2.3
> sshd 3102 kiblerj mem REG 9,1 247496 65887
/lib64/libsepol.so.1
> sshd 3102 kiblerj mem REG 9,1 95464 65888
/lib64/libselinux.so.1
> sshd 3102 kiblerj mem REG 9,1 48600 65885
/lib64/libcrypt-2.5.so
> sshd 3102 kiblerj mem REG 9,1 114352 65884
/lib64/libnsl-2.5.so
> sshd 3102 kiblerj mem REG 9,1 46800 65890
/lib64/libpam.so.0.81.5
> sshd 3102 kiblerj mem REG 9,1 9472 65857
/lib64/libkeyutils-1.2.so
> sshd 3102 kiblerj mem REG 9,1 1366208 65895
/lib64/libcrypto.so.0.9.8e
> sshd 3102 kiblerj mem REG 9,1 10000 65894
/lib64/libcom_err.so.2.1
> sshd 3102 kiblerj mem REG 9,1 92736 65603
/lib64/libresolv-2.5.so
> sshd 3102 kiblerj mem REG 253,5 153624 1050086
/usr/lib64/libk5crypto.so.3.1
> sshd 3102 kiblerj mem REG 253,5 35728 1050085
/usr/lib64/libkrb5support.so.0.1
> sshd 3102 kiblerj mem REG 253,5 613896 1050087
/usr/lib64/libkrb5.so.3.3
> sshd 3102 kiblerj mem REG 253,5 190976 1050089
/usr/lib64/libgssapi_krb5.so.2.2
> sshd 3102 kiblerj mem REG 9,1 18152 65886
/lib64/libutil-2.5.so
> sshd 3102 kiblerj mem REG 9,1 23360 65880
/lib64/libdl-2.5.so
> sshd 3102 kiblerj mem REG 9,1 107112 65889
/lib64/libaudit.so.0.0.0
> sshd 3102 kiblerj mem REG 9,1 53880 65588
/lib64/libnss_files-2.5.so
> sshd 3102 kiblerj DEL REG 0,9 3642343
/dev/zero
> sshd 3102 kiblerj mem REG 9,1 23736 65586
/lib64/libnss_dns-2.5.so
> sshd 3102 kiblerj mem REG 9,1 11176 65864
/lib64/security/pam_tally.so
> sshd 3102 kiblerj mem REG 9,1 11504 65760
/lib64/security/pam_env.so
> sshd 3102 kiblerj mem REG 9,1 48824 65797
/lib64/security/pam_unix.so
> sshd 3102 kiblerj mem REG 253,5 40896 1049703
/usr/lib64/libcrack.so.2.8.0
> sshd 3102 kiblerj mem REG 9,1 12272 65790
/lib64/security/pam_succeed_if.so
> sshd 3102 kiblerj mem REG 9,1 4040 65758
/lib64/security/pam_deny.so
> sshd 3102 kiblerj mem REG 9,1 5648 65778
/lib64/security/pam_nologin.so
> sshd 3102 kiblerj mem REG 9,1 4416 65779
/lib64/security/pam_permit.so
> sshd 3102 kiblerj mem REG 9,1 12928 65756
/lib64/security/pam_cracklib.so
> sshd 3102 kiblerj mem REG 9,1 15152 65786
/lib64/security/pam_selinux.so
> sshd 3102 kiblerj mem REG 9,1 6808 65768
/lib64/security/pam_keyinit.so
> sshd 3102 kiblerj mem REG 9,1 15048 65770
/lib64/security/pam_limits.so
> sshd 3102 kiblerj mem REG 9,1 6584 65773
/lib64/security/pam_loginuid.so
> sshd 3102 kiblerj mem REG 9,1 5080 65803
/lib64/security/pam_warn.so
> sshd 3102 kiblerj DEL REG 0,9 3642362
/dev/zero
> sshd 3102 kiblerj 0u CHR 1,3 1908
/dev/null
> sshd 3102 kiblerj 1u CHR 1,3 1908
/dev/null
> sshd 3102 kiblerj 2u CHR 1,3 1908
/dev/null
> sshd 3102 kiblerj 3u IPv4 3642329 TCP
FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 socket
> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 socket
> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe
> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe
> sshd 3102 kiblerj 8u IPv4 3642410 TCP
localhost.localdomain:x11-ssh-offset (LISTEN)
> sshd 3102 kiblerj 9u CHR 5,2 778
/dev/ptmx
> sshd 3102 kiblerj 11u CHR 5,2 778
/dev/ptmx
> sshd 3102 kiblerj 12u CHR 5,2 778
/dev/ptmx
==============
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkt4HcoACgkQUVxQRc85QlM+BACbBjERGBltYMMaAbjOXxj9sUKe
NoMAn3a+1qMrDnuAPTV8yAV8O16H9FPL
=vRks
-----END PGP SIGNATURE-----
On 14.02.2010 18:59, Jon Kibler wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > This may or may not be a bug. However, it is DEFINITELY NOT how I would > expect and want to see sshd work! > > If you run lsof against sshd on a privilege separated user, it shows > that sshd's CWD is /. I would hope that the CWD would be at a minimum > /var/empty/sshd and I would really have thought it would be something > along the lines of /var/empty/sshd/USER. (In fact, lsof does not show > any references to /var/empty... which I assume means that it is only > referenced during startup??) > > I also noticed that the listener sshd also has / as its CWD. I would > have thought that it would have had ~root or /var/run as its CWD to > prevent core files from being left in / where it may be possible for > someone to find and pursue those files. > > Tech details of this issue follow signature paragraph. > > TIA for at least thinking about this! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 > e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com > s: JonRKibler > http://www.linkedin.com/in/jonrkibler > > My PGP Fingerprint is: > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 > > > > > > OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > OpenSSH has been configured with the following options: > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc/ssh > Askpass program: /usr/local/libexec/ssh-askpass > Manual pages: /usr/local/share/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: doc > PAM support: yes > OSF SIA support: no > KerberosV support: yes > SELinux support: yes > Smartcard support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: yes > libedit support: no > Solaris process contract support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: yes > BSD Auth support: no > Random number source: OpenSSL internal ONLY > > Host: x86_64-unknown-linux-gnu > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized > - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset > - -fstack-protector-all -std=gnu99 > Preprocessor flags: > Linker flags: -fstack-protector-all > Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv > - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err > +for sshd: -lwrap -lpam -ldl -lselinux > > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory > > > > ==============> root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv] > kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2 > root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd > ==============>> lsof -p 23936 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 23936 root cwd DIR 9,1 4096 2 / >> sshd 23936 root rtd DIR 9,1 4096 2 / >> sshd 23936 root txt REG 253,6 447744 1081352 /usr/local/sbin/sshd (deleted) >> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 23936 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 23936 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 23936 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 23936 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 23936 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 23936 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 23936 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 23936 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 23936 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 23936 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 23936 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 23936 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 23936 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 23936 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 23936 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 23936 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 23936 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 23936 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 23936 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 23936 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 23936 root 0u CHR 1,3 1908 /dev/null >> sshd 23936 root 1u CHR 1,3 1908 /dev/null >> sshd 23936 root 2u CHR 1,3 1908 /dev/null >> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN) > ==============>> lsof -p 3100 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 3100 root cwd DIR 9,1 4096 2 / >> sshd 3100 root rtd DIR 9,1 4096 2 / >> sshd 3100 root txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) >> sshd 3100 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 3100 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 3100 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 3100 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 3100 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 3100 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 3100 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 3100 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 3100 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 3100 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 3100 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 3100 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 3100 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 3100 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 3100 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 3100 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 3100 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 3100 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 3100 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 3100 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 3100 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 3100 root DEL REG 0,9 3642343 /dev/zero >> sshd 3100 root mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so >> sshd 3100 root mem REG 9,1 11176 65864 /lib64/security/pam_tally.so >> sshd 3100 root mem REG 9,1 11504 65760 /lib64/security/pam_env.so >> sshd 3100 root mem REG 9,1 48824 65797 /lib64/security/pam_unix.so >> sshd 3100 root mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 >> sshd 3100 root mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so >> sshd 3100 root mem REG 9,1 4040 65758 /lib64/security/pam_deny.so >> sshd 3100 root mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so >> sshd 3100 root mem REG 9,1 4416 65779 /lib64/security/pam_permit.so >> sshd 3100 root mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so >> sshd 3100 root mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so >> sshd 3100 root mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so >> sshd 3100 root mem REG 9,1 15048 65770 /lib64/security/pam_limits.so >> sshd 3100 root mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so >> sshd 3100 root mem REG 9,1 5080 65803 /lib64/security/pam_warn.so >> sshd 3100 root DEL REG 0,9 3642362 /dev/zero >> sshd 3100 root 0u CHR 1,3 1908 /dev/null >> sshd 3100 root 1u CHR 1,3 1908 /dev/null >> sshd 3100 root 2u CHR 1,3 1908 /dev/null >> sshd 3100 root 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket >> sshd 3100 root 5u CHR 5,2 778 /dev/ptmx >> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket > ==============>> lsof -p 3102 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 3102 kiblerj cwd DIR 9,1 4096 2 / >> sshd 3102 kiblerj rtd DIR 9,1 4096 2 / >> sshd 3102 kiblerj txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) >> sshd 3102 kiblerj mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 3102 kiblerj mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 3102 kiblerj mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 3102 kiblerj mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 3102 kiblerj mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 3102 kiblerj mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 3102 kiblerj mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 3102 kiblerj mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 3102 kiblerj mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 3102 kiblerj mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 3102 kiblerj mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 3102 kiblerj mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 3102 kiblerj mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 3102 kiblerj mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 3102 kiblerj mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 3102 kiblerj mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 3102 kiblerj mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 3102 kiblerj mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 3102 kiblerj mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 3102 kiblerj mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 3102 kiblerj mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 3102 kiblerj DEL REG 0,9 3642343 /dev/zero >> sshd 3102 kiblerj mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so >> sshd 3102 kiblerj mem REG 9,1 11176 65864 /lib64/security/pam_tally.so >> sshd 3102 kiblerj mem REG 9,1 11504 65760 /lib64/security/pam_env.so >> sshd 3102 kiblerj mem REG 9,1 48824 65797 /lib64/security/pam_unix.so >> sshd 3102 kiblerj mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 >> sshd 3102 kiblerj mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so >> sshd 3102 kiblerj mem REG 9,1 4040 65758 /lib64/security/pam_deny.so >> sshd 3102 kiblerj mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so >> sshd 3102 kiblerj mem REG 9,1 4416 65779 /lib64/security/pam_permit.so >> sshd 3102 kiblerj mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so >> sshd 3102 kiblerj mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so >> sshd 3102 kiblerj mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so >> sshd 3102 kiblerj mem REG 9,1 15048 65770 /lib64/security/pam_limits.so >> sshd 3102 kiblerj mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so >> sshd 3102 kiblerj mem REG 9,1 5080 65803 /lib64/security/pam_warn.so >> sshd 3102 kiblerj DEL REG 0,9 3642362 /dev/zero >> sshd 3102 kiblerj 0u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 1u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 2u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 socket >> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 socket >> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe >> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe >> sshd 3102 kiblerj 8u IPv4 3642410 TCP localhost.localdomain:x11-ssh-offset (LISTEN) >> sshd 3102 kiblerj 9u CHR 5,2 778 /dev/ptmx >> sshd 3102 kiblerj 11u CHR 5,2 778 /dev/ptmx >> sshd 3102 kiblerj 12u CHR 5,2 778 /dev/ptmx > ==============>OpenSSH has nothing to do with that. That is a kernel feature. If some process does chroot() while having it as a CWD, it will be shown as "/" by lsof just because it is root directory for that process. -- Sincerely Yours, Dan.
On Sun, 14 Feb 2010, Jon Kibler wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > This may or may not be a bug. However, it is DEFINITELY NOT how I would > expect and want to see sshd work! > > If you run lsof against sshd on a privilege separated user, it shows > that sshd's CWD is /. I would hope that the CWD would be at a minimum > /var/empty/sshd and I would really have thought it would be something > along the lines of /var/empty/sshd/USER. (In fact, lsof does not show > any references to /var/empty... which I assume means that it is only > referenced during startup??)cwd is relative to the chroot directory. Remember what chroot does?> I also noticed that the listener sshd also has / as its CWD. I would > have thought that it would have had ~root or /var/run as its CWD to > prevent core files from being left in / where it may be possible for > someone to find and pursue those files.chdir(/) is the normal behaviour of daemon programs. If your system writes .core files with world-readable permissions then your have bigger problems. -d