[Bug 2511] Drop fine-grained privileges on Illumos/Solaris

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 18:39:33 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2511

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
(In reply to Alex Wilson from comment #4)

> I did have one other question/comment -- from what I can tell, the
> pledge() call in ssh-agent seems to be broader than it needs to be:
> it's currently allowing "exec", but the pledge() call happens after
> the final exec() that the ssh-agent can do. Am I mistaken on this?
> If I am, then the code in this patch should also avoid dropping
> "exec" (currently it drops it).

Unfortunately the agent can still exec() at this point: if the user
adds a PKCS#11 token then ssh-pkcs11-helper will be executed.

I've thought about doing this unconditionally when ssh-agent is
started, but was put off by running an extra process that will never be
used by 99.9% of users.

Alternatives including adding a command-line option to ssh-agent to
enable PKCS#11 support (would break existing setups), adding an option
to disable PKCS#11 support so a stronger pledge could be used (not
"secure by default", nobody would use it) or extending pledge to permit
the whitelisting of execl() targets (not going to happen for a while,
if ever).

None of the alternatives were particularly appealing, so we punted and
used a more permissive pledge policy :/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list