It was suggested to me that I forward this message to you.
----------  Forwarded Message  ----------
Subject: privsep in ssh
Date: Fri, 19 Sep 2003 12:22
From: Russell Coker <russell at coker.com.au>
To: SE Linux <selinux at tycho.nsa.gov>
Cc: Colin Watson <cjwatson at debian.org>
#ifdef DISABLE_FD_PASSING
        if (1) {
#else
        if (authctxt->pw->pw_uid == 0 || options.use_login) {
#endif
                /* File descriptor passing is broken or root login */
                monitor_apply_keystate(pmonitor);
                use_privsep = 0;
                return;
        }
When browsing the ssh source I noticed the above in sshd.c.  It appears from
 a casual inspection that we should change this and remove the check for
 pw_uid == 0.  Logging in as root in SE Linux does not mean that we have full
 administrative privs, so I think that we should have privsep enabled all the
 time.
I have compiled a sshd with privsep for root logins and it seems to work
 fine.
I have attached the patch against ssh 3.6.1p2, I expect that the same thing
would be necessary in 3.7.1 and the same patch probably applies (but I
haven't checked).
I believe that this patch is worthy of inclusion in the standard distribution
of ssh.  The only drawback is that it uses a small amount of extra CPU power
for root logins, and on systems such as SE Linux it provides security
benefits.
Anyone who wants to use the SE Linux PAM module for sshd probably wants this.
--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 381 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030922/c1a58cda/attachment.bin
> #ifdef DISABLE_FD_PASSING > if (1) { > #else > if (authctxt->pw->pw_uid == 0 || options.use_login) { > #endifI think we should change this test to something like: if (!ALWAYS_POSTAUTH_PRIVSEP && (authctxt->pw->pw_uid == 0 || options.use_login || NEVER_POSTAUTH_PRIVSEP)) { Then we can set NEVER_POSTAUTH_PRIVSEP and ALWAYS_POSTAUTH_PRIVSEP (to 1) in autoconf as appropriate. Comments? -d
On Mon, 22 Sep 2003, Russell Coker wrote:> On Mon, 22 Sep 2003 15:44, Damien Miller wrote: > > > #ifdef DISABLE_FD_PASSING > > > if (1) { > > > #else > > > if (authctxt->pw->pw_uid == 0 || options.use_login) { > > > #endif > > > > I think we should change this test to something like: > > > > if (!ALWAYS_POSTAUTH_PRIVSEP && > > (authctxt->pw->pw_uid == 0 || options.use_login || > > NEVER_POSTAUTH_PRIVSEP)) { > > > > Then we can set NEVER_POSTAUTH_PRIVSEP and ALWAYS_POSTAUTH_PRIVSEP (to 1) > > in autoconf as appropriate. > > > > Comments? > > Sounds reasonable to me.How can we unambiguously identify SELinux at ./configure time? Does it return a different platform string? -d
On Mon, 22 Sep 2003 15:44, Damien Miller wrote:> > #ifdef DISABLE_FD_PASSING > > if (1) { > > #else > > if (authctxt->pw->pw_uid == 0 || options.use_login) { > > #endif > > I think we should change this test to something like: > > if (!ALWAYS_POSTAUTH_PRIVSEP && > (authctxt->pw->pw_uid == 0 || options.use_login || > NEVER_POSTAUTH_PRIVSEP)) { > > Then we can set NEVER_POSTAUTH_PRIVSEP and ALWAYS_POSTAUTH_PRIVSEP (to 1) > in autoconf as appropriate. > > Comments?Sounds reasonable to me. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page