bugzilla-daemon at bugzilla.mindrot.org
2009-Mar-19 07:22 UTC
[Bug 1575] New: OpenSSH 5.2p1 failure using ChrootDirectory option on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1575
Summary: OpenSSH 5.2p1 failure using ChrootDirectory option on
AIX
Product: Portable OpenSSH
Version: 5.2p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: cartmanltd at hotmail.com
CC: cartmanltd at hotmail.com
I have been experimenting with the ChrootDirectory feature on OpenSSH
5.2p1 running on AIX 5.3, but have encountered repeated failures
chroot("/restrict/home"): Operation not permitted.
Debugging the sshd process, it is the "chroot()" subroutine failing
with error EPERM "Operation not permitted" because the process no
longer has root user authority. Under AIX, the manual pages for the
"chroot()" subroutine say "The calling process must have root
user
authority in order to change the effective root directory."
I believe the problematic code is located in the "session.c" module
within function "do_setusercontext()". In this function, the
"setpcred()" subroutine is called to change the user/group privileges
from the root user to that of the ssh user. This is later followed by
"safely_chroot()" (which invokes "chroot()"). Unfortunately
the order
of these calls wont work for non-root users on AIX. To make it work,
the "safely_chroot()" must be called before "setprcred()".
Solaris has a similar restriction for "chroot()", viz: "The
{PRIV_PROC_CHROOT} privilege is not asserted in the effective set of
the calling process."
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Mar-20 05:22 UTC
[Bug 1575] OpenSSH 5.2p1 failure using ChrootDirectory option on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1575 --- Comment #1 from Kieron Curtis <cartmanltd at hotmail.com> 2009-03-20 16:22:27 --- This is also related to [Bug 1567] New: Insufficient privileges to chroot() on AIX. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-12 12:35 UTC
[Bug 1575] OpenSSH 5.2p1 failure using ChrootDirectory option on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1575
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
CC| |dtucker at zip.com.au
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2009-07-12
22:35:56 ---
*** This bug has been marked as a duplicate of bug 1567 ***
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:03 UTC
[Bug 1575] OpenSSH 5.2p1 failure using ChrootDirectory option on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1575
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #3 from Damien Miller <djm at mindrot.org> 2009-10-06 15:03:18
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.