Luke Kenneth Casson Leighton
2004-May-30 09:23 UTC
Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
dear openssh developers, i was wondering if you were aware of some patches for security enhancements to openssh - to support SE/Linux. www.nsa.gov/selinux. i am at present compiling a status report for debian/selinux. could someone be kind enough to provide me with some information that i can put on my report? sincerely, l.
Damien Miller
2004-May-30 09:43 UTC
Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
Luke Kenneth Casson Leighton wrote:> dear openssh developers, > > i was wondering if you were aware of some patches for security > enhancements to openssh - to support SE/Linux.I eventually found a patch at: http://www.nsa.gov/selinux/patches/openssh-selinux.patch.gz (from http://www.nsa.gov/selinux/code/download5.cfm) but it doesn't seem to do much at all - the only code change is the marking of a ssh-agent fd to be close-on-exec. Is this the patch that you are referring to? -d
Damien Miller
2004-May-30 11:48 UTC
Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
Luke Kenneth Casson Leighton wrote:> On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote: >>but it doesn't seem to do much at all - the only code change is the >>marking of a ssh-agent fd to be close-on-exec. > > that, and the inclusion of pam_selinux.so as a required session > plugin, and the setting of a security context on the DSA and > RSA keys in sshd initialisation (a redhat rpm thing?)I think we should leave these changes for the vendors of SELinux enabled distributions. We want the current files to work for everyone. The files in contrib/redhat get synced from time to time. so they will pick up changes in their distribution (eventually).>>Is this the patch that you are referring to? > > yes it is. > > the ssh-agent fd close-on-exec is actually a really important > security bug because otherwise you end up with an open file > descriptor being passed over to a process that should have no > rights or use for it.The FD in question is to /dev/null and closed anyway if it isn't dup'd to one of std{in.out,err} so I can't see how this achieves anything.> SE/Linux is really cool in that respect: the audit process > logged that this file handle was being passed over to a child > process, and the policy for ssh-agent said that that wasn't > allowed. > > cool, huh? :)Not in this case, no :)> [apparently, PAM has a similar bug in /sbin/unix_verify: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248310 > > but the debian maintainer for pam is being a bit of idiot > and won't look at it. sorry, mr hartmans, but it's bypass time, > and your comments _are_ a matter of public record, after all]Please don't drag SELinux fights onto our list, we have enough of our own. -d