bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-21 21:16 UTC
[Bug 1893] New: change ssh-keisign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Summary: change ssh-keisign to setgid from setuid Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: unassigned-bugs at mindrot.org ReportedBy: jchadima at redhat.com the setgid programs are potentially less dangerous than setuid ones. the only setuid program in the openssh suite is ssh-keysign. It need to access private server keys. The solution is to create one dedicated group (ssh_keys). The keys then should be rw-r---- root:ssh_keys The ssh-keysign should be setgid ssh_keys And finally authfile.c should be patched to accept such keys. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-21 21:17 UTC
[Bug 1893] change ssh-keisign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 --- Comment #1 from jchadima at redhat.com 2011-04-22 07:17:21 EST --- Created attachment 2035 --> https://bugzilla.mindrot.org/attachment.cgi?id=2035 patch solving the problem -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-21 22:20 UTC
[Bug 1893] change ssh-keisign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Jim Knoble <jmknoble at pobox.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmknoble at pobox.com --- Comment #2 from Jim Knoble <jmknoble at pobox.com> 2011-04-22 08:20:51 EST --- So how is this supposed to work in practice? Change everyone's home directory to be mode 0710 group ssh_keys? Why is the "ssh_keys" group hard-coded in authfile.c? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-22 04:49 UTC
[Bug 1893] change ssh-keisign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 jchadima at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jchadima at redhat.com --- Comment #3 from jchadima at redhat.com 2011-04-22 14:49:49 EST --- No, home directories no not need change. Only change is on the server private keys. The hard-coded server keys are for the security reasons. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-03 00:41 UTC
[Bug 1893] change ssh-keysign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Summary|change ssh-keisign to |change ssh-keysign to |setgid from setuid |setgid from setuid Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #4 from Damien Miller <djm at mindrot.org> 2011-06-03 10:41:24 EST --- I don't think there is much point to getting rid of the setuid bit on ssh-keysign. There are only 12 lines of code executed before dropping privileges and these are clearly quite safe. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:33 UTC
[Bug 1893] change ssh-keysign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> 2011-09-06 15:33:02 EST --- close resolved bugs now that openssh-5.9 has been released -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:31 UTC
[Bug 1893] change ssh-keysign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Jan F. Chadima <jfch at jagda.eu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfch at jagda.eu -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-28 19:18 UTC
[Bug 1893] change ssh-keysign to setgid from setuid
https://bugzilla.mindrot.org/show_bug.cgi?id=1893 Edward Z. Yang <ezyang at mit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ezyang at mit.edu --- Comment #6 from Edward Z. Yang <ezyang at mit.edu> 2012-05-29 05:18:25 EST --- I am confused why this bug is closed WONTFIX, as the ssh_keys group appears to have made its way into recent Fedora. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 1894] New: ssh requests ipv6 addresses even with ipv6 disabled
- [Bug 1890] New: Entropy management for linux
- [Bug 1889] New: bug in packet.c sometimes cause segfault
- [Bug 1789] New: On linux use abstract socket for X11 connections if possible
- [Bug 1640] New: Add patchlevel info to the sshd binary.