Re: Call for testing: OpenSSH 7.3

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Jul 22 23:32, Darren Tucker wrote:
> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen@xxxxxxxxxx> wrote:
> [...]
> > Hmm.  If that only affects Cygwin, and if defines.h is not synced anyway,
> > what about getting rid of the configure stuff entirely?
> >
> > Tested counterproposal:
> 
> Looks reasonable.  It's late here so I'm going to look at it tomorrow.

Thank you.

> > As for the comment preceeding the definition, I didn't change it from
> > your text in my proposal.  However.
> >
> > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> > terms of the implementation of bindresvport_sa and rcmd.  It's not just
> > backward compatibility.  There are also applications out there which
> > still expect this value to make sense.
> 
> Fair point.
> 
> > The *real* problem here is that OpenSSH checks for uid 0 before allowing
> > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> > decide if the current user is allowed to bind that port.
> > From my POV this check in OpenSSH is gratuitious and it's the real reason
> > we have this problem at all.
> 
> In the case of sshd running with privsep off, the process doing the
> binding is still running as root and I suspect those checks date back
> to when it was always running as root.  It could probably
> temporarily_use_uid() though.

I think this is a very good idea.

As has been discussed more than once on this list, Cygwin^WWindows isn't
the only OS allowing more than a single administrativ account.
Alternatively the system supports fine-grained account-based permissions
or per-executable capabilities.

For example, think raw sockets and ping/ping6.  You don't have to be
admin to open a raw socket if the OS supports capabilities, nor does the
application has to be a setuid application, as on Linux:

  $ ls -l /usr/bin/ping
  -rwxr-xr-x 1 root root 44752 Nov 19  2015 /usr/bin/ping
  $ getcap /usr/bin/ping
  ping = cap_net_admin,cap_net_raw+ep

Checking for uid 0 only makes limited sense, and only on very
traditional UNIX systems.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux