[Bug 2511] Drop fine-grained privileges on Illumos/Solaris
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 19:35:37 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2511
Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2770|ok?(dtucker at zip.com.au) |
Flags| |
Attachment #2770|0 |1
is obsolete| |
--- Comment #7 from Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> ---
Created attachment 2771
--> https://bugzilla.mindrot.org/attachment.cgi?id=2771&action=edit
patch-v3
(In reply to Damien Miller from comment #5)
>
> Unfortunately the agent can still exec() at this point: if the user
> adds a PKCS#11 token then ssh-pkcs11-helper will be executed.
>
Ah. Of course. I haven't been testing with a pkcs#11 token, though we
do support a few of them on Illumos, so perhaps I should see if I can
dig one up for future testing.
I have attached a v3 patch, with this fixed up so that the ssh-agent
retains the right to use exec(). I also renamed the
solaris_drop_*_privs() functions to make it a bit clearer what the 3 of
them actually are.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list