Hi, I'm not sure how interested anybody here is in this, but I've been working lately on getting rid of the horror that is SunSSH for some distros of Illumos (mostly SmartOS). One of the patches we're carrying around at the moment is one that simply drops fine-grained privileges in sshd, ssh-agent and sftp-server. Since the privilege dropping here is roughly equivalent to a more verbose, coarser version of a tame() call, I was wondering if there might be any interest in taking it into openssh-portable in future. Patch is attached. I've made sure all the code is behind #ifdef USE_SOLARIS_PRIVS and added some code in configure.ac to turn this macro on and off. It also has a related fix which turns off the UID restoration test when building --with-solaris-privs (since the fine-grained privs model lets you create an ordinary user who can setuid to root, and sshd should still let such a user log in if they're allowed to by the system). Any feedback or comments would be appreciated, of course, even if this isn't suitable for integration into -portable. Thanks! -------------- next part --------------
Darren Tucker
2015-Nov-13 02:24 UTC
[PATCH] Drop fine-grained privileges on Illumos/Solaris
On Fri, Nov 13, 2015 at 12:00 PM, Alex Wilson <alex at cooperi.net> wrote:> I'm not sure how interested anybody here is in this, but I've been > working lately on getting rid of the horror that is SunSSH for some > distros of Illumos (mostly SmartOS).As long as someone is willing to do the work and help with tests (which it sounds like you are), the support doesn't compromise other platforms or make maintenance significantly harder then I have no objections to it going in.> One of the patches we're carrying > around at the moment is one that simply drops fine-grained privileges in > sshd, ssh-agent and sftp-server. Since the privilege dropping here is > roughly equivalent to a more verbose, coarser version of a tame() call, > I was wondering if there might be any interest in taking it into > openssh-portable in future.The code itself looks quite reasonable. Placing it inline in the main source files is problematic since it makes maintenance of those files harder, but it it should fit nicely in openbsd-compat/port-solaris.c. The similarities to tame (now renamed "pledge" in OpenBSD) are potentially useful, as we may be able to put pledge calls into the mainline code then use that to hook into the code you wrote. The other place these look like the'd be useful is in the pre-auth privsep sandbox, so you may want to look at one of the example sandbox-*.c files. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 11/12/15 6:24 PM, Darren Tucker wrote:> > As long as someone is willing to do the work and help with tests > (which it sounds like you are), the support doesn't compromise other > platforms or make maintenance significantly harder then I have no > objections to it going in.Sounds good to me. We're already running with this patch in (pre-)production, and I'm definitely happy to help out with any additional testing needed.> > The code itself looks quite reasonable. Placing it inline in the main > source files is problematic since it makes maintenance of those files > harder, but it it should fit nicely in openbsd-compat/port-solaris.c. > ... > The other place these look like the'd be useful is in the pre-auth > privsep sandbox... >Ok, please find attached a revised version. I've moved all of the pre-auth privsep bit into a new sandbox-solaris.c, and for the ssh-agent and sftp-server I've created the platform_drop_agent_privs() and platform_drop_sftp_server_privs() hooks which, if USE_SOLARIS_PRIVS is enabled then call out to the code that's now in openbsd-compat/port-solaris.c Does this look a bit better? The biggest annoyance I had is that now ssh-agent and sftp-server have to link against platform.o, and the easiest way to organise that seemed to be to add it to libssh.a. So now all the cmdline tools also link against libcontract and libproject, instead of just the daemon. Using a platform_* function seems like a nicer interface than just calling a port-solaris function inside an #ifdef in each of them, though -- you can just add some code now in platform.c that uses pledge() instead, for example. So maybe it's fine to have a bit of extra link bloat. -------------- next part --------------