Support Capabilities for ssh client port forwarding

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello.

I think openssh-client should allow use port forwarding not only for root user.
CAP_NET_BIND_SERVICE enought to use privileged ports.

I do patch for myself, but I think, that you could improve it and apply to master.

--- openssh-7.3p1.orig/readconf.c
+++ openssh-7.3p1/readconf.c
@@ -15,6 +15,7 @@
 #include "includes.h"

 #include <sys/types.h>
+#include <sys/capability.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
@@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
 	extern uid_t original_real_uid;
 	int i;

+	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
+	cap_t caps;
+
+	caps = cap_get_proc();
+ cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, &cap_flag_value_e); + cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, &cap_flag_value_p);
+
 	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+			(cap_flag_value_e != CAP_SET || cap_flag_value_p != CAP_SET) &&
 	    newfwd->listen_path == NULL)
 		fatal("Privileged ports can only be forwarded by root.");
 	/* Don't add duplicates */
--- openssh-7.3p1.orig/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
 	use_pie=auto
 	check_for_libcrypt_later=1
 	check_for_openpty_ctty_bug=1
+	# libcap
+	# use capabilities
+	LIBS="$LIBS -lcap"
 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
 		[Work around problematic Linux PAM modules handling of PAM_TTY])
 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],


And specify one more build dependencie: libcap-dev.

Regards,
Alexey Mochkin.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux