Re: [PATCH] Drop fine-grained privileges on Illumos/Solaris

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Nov 13, 2015 at 12:00 PM, Alex Wilson <alex@xxxxxxxxxxx> wrote:
> I'm not sure how interested anybody here is in this, but I've been
> working lately on getting rid of the horror that is SunSSH for some
> distros of Illumos (mostly SmartOS).

As long as someone is willing to do the work and help with tests
(which it sounds like you are), the support doesn't compromise other
platforms or make maintenance significantly harder then I have no
objections to it going in.

> One of the patches we're carrying
> around at the moment is one that simply drops fine-grained privileges in
> sshd, ssh-agent and sftp-server. Since the privilege dropping here is
> roughly equivalent to a more verbose, coarser version of a tame() call,
> I was wondering if there might be any interest in taking it into
> openssh-portable in future.

The code itself looks quite reasonable.  Placing it inline in the main
source files is problematic since it makes maintenance of those files
harder, but it it should fit nicely in openbsd-compat/port-solaris.c.

The similarities to tame (now renamed "pledge" in OpenBSD) are
potentially useful, as we may be able to put pledge calls into the
mainline code then use that to hook into the code you wrote.

The other place these look like the'd be useful is in the pre-auth
privsep sandbox, so you may want to look at one of the example
sandbox-*.c files.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux