On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote: [...]> Hmm. If that only affects Cygwin, and if defines.h is not synced anyway, > what about getting rid of the configure stuff entirely? > > Tested counterproposal:Looks reasonable. It's late here so I'm going to look at it tomorrow.> As for the comment preceeding the definition, I didn't change it from > your text in my proposal. However. > > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in > terms of the implementation of bindresvport_sa and rcmd. It's not just > backward compatibility. There are also applications out there which > still expect this value to make sense.Fair point.> The *real* problem here is that OpenSSH checks for uid 0 before allowing > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS > decide if the current user is allowed to bind that port. > From my POV this check in OpenSSH is gratuitious and it's the real reason > we have this problem at all.In the case of sshd running with privsep off, the process doing the binding is still running as root and I suspect those checks date back to when it was always running as root. It could probably temporarily_use_uid() though. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Jul 22 23:32, Darren Tucker wrote:> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote: > [...] > > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway, > > what about getting rid of the configure stuff entirely? > > > > Tested counterproposal: > > Looks reasonable. It's late here so I'm going to look at it tomorrow.Thank you.> > As for the comment preceeding the definition, I didn't change it from > > your text in my proposal. However. > > > > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in > > terms of the implementation of bindresvport_sa and rcmd. It's not just > > backward compatibility. There are also applications out there which > > still expect this value to make sense. > > Fair point. > > > The *real* problem here is that OpenSSH checks for uid 0 before allowing > > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS > > decide if the current user is allowed to bind that port. > > From my POV this check in OpenSSH is gratuitious and it's the real reason > > we have this problem at all. > > In the case of sshd running with privsep off, the process doing the > binding is still running as root and I suspect those checks date back > to when it was always running as root. It could probably > temporarily_use_uid() though.I think this is a very good idea. As has been discussed more than once on this list, Cygwin^WWindows isn't the only OS allowing more than a single administrativ account. Alternatively the system supports fine-grained account-based permissions or per-executable capabilities. For example, think raw sockets and ping/ping6. You don't have to be admin to open a raw socket if the OS supports capabilities, nor does the application has to be a setuid application, as on Linux: $ ls -l /usr/bin/ping -rwxr-xr-x 1 root root 44752 Nov 19 2015 /usr/bin/ping $ getcap /usr/bin/ping ping = cap_net_admin,cap_net_raw+ep Checking for uid 0 only makes limited sense, and only on very traditional UNIX systems. Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160722/a338134e/attachment-0001.bin>
On Sat, Jul 23, 2016 at 2:45 AM, Corinna Vinschen <vinschen at redhat.com> wrote:> On Jul 22 23:32, Darren Tucker wrote: >> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote: >> [...] >> > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway, >> > what about getting rid of the configure stuff entirely? >> > >> > Tested counterproposal:I've committed this. I'll look at the other changes after the release. [...]> As has been discussed more than once on this list, Cygwin^WWindows isn't > the only OS allowing more than a single administrativ account. > Alternatively the system supports fine-grained account-based permissions > or per-executable capabilities.Agreed, capabilities is what I was thinking of when I replied. [...]> Checking for uid 0 only makes limited sense, and only on very > traditional UNIX systems.In its defense, I suspect that's all it ran on at the time it was written. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.