Dear knowledgeable people, I'm running sshd 6.6.1p1 on RHEL 7.1. I've got a security requirement to run it as an ordinary user, let's say test-x, instead of root. It works well if I try to log in as test-x user with public key auth. Unfortunately I need sshd to serve other users as well. In order to let sshd switch uids I've set the CAP_SETUID and CAP_SETGID capabilities on the sshd binary. But it didn't work out, when I try to log in as another user, say test-y, sshd says: Failed to set uids to 1009. Disabling privsep didn't help. From strace I didn't even see any attempt to setuid() to test-y, so I think (but haven't verified) that when running as non-root, sshd doesn't even try to change uids. My question is, do you think such a use case (running multiuser sshd as non-root) is possible theoretically, or can it be implemented with a small patch? (Let's not discuss whether the use case makes sense, the requirement for me is a given.) -- How I need a drink, alcoholic in nature, after the tough chapters involving quantum mechanics!
On Mon, 5 Aug 2019 at 20:26, Adam Endrodi <endrodi at nokia.com> wrote: [...]> My question is, do you think such a use case (running multiuser sshd as > non-root) is possible theoretically, or can it be implemented with a > small patch?I suspect it will not work out of the box, because there are a number of checks of the form (this one is from uidswap.c): if (geteuid() != 0) { privileged = 0; return; } I also suspect it could be made to work with a relatively small set of changes. For a proof of concept I'd suggest you try changing all of the instances of "privileged = 0" to "privileged = 1" in uidswap.c (this would not be suitable for real use, though). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Aug 5 22:15, Darren Tucker wrote:> On Mon, 5 Aug 2019 at 20:26, Adam Endrodi <endrodi at nokia.com> wrote: > [...] > > My question is, do you think such a use case (running multiuser sshd as > > non-root) is possible theoretically, or can it be implemented with a > > small patch? > > I suspect it will not work out of the box, because there are a number > of checks of the form (this one is from uidswap.c): > > if (geteuid() != 0) { > privileged = 0; > return; > } > > I also suspect it could be made to work with a relatively small set of > changes. For a proof of concept I'd suggest you try changing all of > the instances of "privileged = 0" to "privileged = 1" in uidswap.c > (this would not be suitable for real use, though).Some of the Cygwin-specific code in OpenSSH allow to run sshd as a privileged user with non-0 UID. Maybe those can help as well in that scenario. Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190805/c3ee6f8c/attachment.asc>