Hello.
I think openssh-client should allow use port forwarding not only for
root user.
CAP_NET_BIND_SERVICE enought to use privileged ports.
I do patch for myself, but I think, that you could improve it and apply
to master.
--- openssh-7.3p1.orig/readconf.c
+++ openssh-7.3p1/readconf.c
@@ -15,6 +15,7 @@
#include "includes.h"
#include <sys/types.h>
+#include <sys/capability.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
@@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
extern uid_t original_real_uid;
int i;
+ cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
+ cap_t caps;
+
+ caps = cap_get_proc();
+ cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE,
&cap_flag_value_e);
+ cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED,
&cap_flag_value_p);
+
if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+ (cap_flag_value_e != CAP_SET || cap_flag_value_p != CAP_SET) &&
newfwd->listen_path == NULL)
fatal("Privileged ports can only be forwarded by root.");
/* Don't add duplicates */
--- openssh-7.3p1.orig/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
use_pie=auto
check_for_libcrypt_later=1
check_for_openpty_ctty_bug=1
+ # libcap
+ # use capabilities
+ LIBS="$LIBS -lcap"
AC_DEFINE([PAM_TTY_KLUDGE], [1],
[Work around problematic Linux PAM modules handling of PAM_TTY])
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
And specify one more build dependencie: libcap-dev.
Regards,
Alexey Mochkin.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev