[Bug 2511] Drop fine-grained privileges on Illumos/Solaris
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 18:39:33 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2511
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
(In reply to Alex Wilson from comment #4)
> I did have one other question/comment -- from what I can tell, the
> pledge() call in ssh-agent seems to be broader than it needs to be:
> it's currently allowing "exec", but the pledge() call happens after
> the final exec() that the ssh-agent can do. Am I mistaken on this?
> If I am, then the code in this patch should also avoid dropping
> "exec" (currently it drops it).
Unfortunately the agent can still exec() at this point: if the user
adds a PKCS#11 token then ssh-pkcs11-helper will be executed.
I've thought about doing this unconditionally when ssh-agent is
started, but was put off by running an extra process that will never be
used by 99.9% of users.
Alternatives including adding a command-line option to ssh-agent to
enable PKCS#11 support (would break existing setups), adding an option
to disable PKCS#11 support so a stronger pledge could be used (not
"secure by default", nobody would use it) or extending pledge to permit
the whitelisting of execl() targets (not going to happen for a while,
if ever).
None of the alternatives were particularly appealing, so we punted and
used a more permissive pledge policy :/
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list