Hi, Could you please file a bug at https://bugzilla.mindrot.org and attach this? That will make sure it doesn't get lost. -d On Mon, 10 Oct 2016, Alexey wrote: > Hello. > > I think openssh-client should allow use port forwarding not only for root > user. > CAP_NET_BIND_SERVICE enought to use privileged ports. > > I do patch for myself, but I think, that you could improve it and apply to > master. > > --- openssh-7.3p1.orig/readconf.c > +++ openssh-7.3p1/readconf.c > @@ -15,6 +15,7 @@ > #include "includes.h" > > #include <sys/types.h> > +#include <sys/capability.h> > #include <sys/stat.h> > #include <sys/socket.h> > #include <sys/wait.h> > @@ -327,7 +328,16 @@ add_local_forward(Options *options, cons > extern uid_t original_real_uid; > int i; > > + cap_flag_value_t cap_flag_value_e, cap_flag_value_p; > + cap_t caps; > + > + caps = cap_get_proc(); > + cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, > &cap_flag_value_e); > + cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, > &cap_flag_value_p); > + > if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 && > + (cap_flag_value_e != CAP_SET || cap_flag_value_p != > CAP_SET) && > newfwd->listen_path == NULL) > fatal("Privileged ports can only be forwarded by root."); > /* Don't add duplicates */ > --- openssh-7.3p1.orig/configure.ac > +++ openssh-7.3p1/configure.ac > @@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary(" > use_pie=auto > check_for_libcrypt_later=1 > check_for_openpty_ctty_bug=1 > + # libcap > + # use capabilities > + LIBS="$LIBS -lcap" > AC_DEFINE([PAM_TTY_KLUDGE], [1], > [Work around problematic Linux PAM modules handling of > PAM_TTY]) > AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"], > > > And specify one more build dependencie: libcap-dev. > > Regards, > Alexey Mochkin. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
