openssh unix dev - Oct 2016 - Support Capabilities for ssh client port forwarding

Hello.

I think openssh-client should allow use port forwarding not only for 
root user.
CAP_NET_BIND_SERVICE enought to use privileged ports.

I do patch for myself, but I think, that you could improve it and apply 
to master.

--- openssh-7.3p1.orig/readconf.c
+++ openssh-7.3p1/readconf.c
@@ -15,6 +15,7 @@
  #include "includes.h"

  #include <sys/types.h>
+#include <sys/capability.h>
  #include <sys/stat.h>
  #include <sys/socket.h>
  #include <sys/wait.h>
@@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
  	extern uid_t original_real_uid;
  	int i;

+	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
+	cap_t caps;
+
+	caps = cap_get_proc();
+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, 
&cap_flag_value_e);
+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, 
&cap_flag_value_p);
+
  	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid
!= 0 &&
+			(cap_flag_value_e != CAP_SET || cap_flag_value_p != CAP_SET) &&
  	    newfwd->listen_path == NULL)
  		fatal("Privileged ports can only be forwarded by root.");
  	/* Don't add duplicates */
--- openssh-7.3p1.orig/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
  	use_pie=auto
  	check_for_libcrypt_later=1
  	check_for_openpty_ctty_bug=1
+	# libcap
+	# use capabilities
+	LIBS="$LIBS -lcap"
  	AC_DEFINE([PAM_TTY_KLUDGE], [1],
  		[Work around problematic Linux PAM modules handling of PAM_TTY])
  	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],


And specify one more build dependencie: libcap-dev.

Regards,
Alexey Mochkin.

Hi,

Could you please file a bug at https://bugzilla.mindrot.org and attach
this? That will make sure it doesn't get lost.

-d

On Mon, 10 Oct 2016, Alexey wrote:
> Hello.
> 
> I think openssh-client should allow use port forwarding not only for root
> user.
> CAP_NET_BIND_SERVICE enought to use privileged ports.
> 
> I do patch for myself, but I think, that you could improve it and apply to
> master.
> 
> --- openssh-7.3p1.orig/readconf.c
> +++ openssh-7.3p1/readconf.c
> @@ -15,6 +15,7 @@
>  #include "includes.h"
> 
>  #include <sys/types.h>
> +#include <sys/capability.h>
>  #include <sys/stat.h>
>  #include <sys/socket.h>
>  #include <sys/wait.h>
> @@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
>  	extern uid_t original_real_uid;
>  	int i;
> 
> +	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
> +	cap_t caps;
> +
> +	caps = cap_get_proc();
> +	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE,
> &cap_flag_value_e);
> +	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED,
> &cap_flag_value_p);
> +
>  	if (newfwd->listen_port < IPPORT_RESERVED &&
original_real_uid != 0 &&
> +			(cap_flag_value_e != CAP_SET || cap_flag_value_p !> CAP_SET)
&&
>  	    newfwd->listen_path == NULL)
>  		fatal("Privileged ports can only be forwarded by root.");
>  	/* Don't add duplicates */
> --- openssh-7.3p1.orig/configure.ac
> +++ openssh-7.3p1/configure.ac
> @@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
>  	use_pie=auto
>  	check_for_libcrypt_later=1
>  	check_for_openpty_ctty_bug=1
> +	# libcap
> +	# use capabilities
> +	LIBS="$LIBS -lcap"
>  	AC_DEFINE([PAM_TTY_KLUDGE], [1],
>  		[Work around problematic Linux PAM modules handling of
> PAM_TTY])
>  	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
> 
> 
> And specify one more build dependencie: libcap-dev.
> 
> Regards,
> Alexey Mochkin.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>