[Bug 2511] Drop fine-grained privileges on Illumos/Solaris

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 19:35:37 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2511

Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2770|ok?(dtucker at zip.com.au)     |
              Flags|                            |
   Attachment #2770|0                           |1
        is obsolete|                            |

--- Comment #7 from Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> ---
Created attachment 2771
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2771&action=edit
patch-v3

(In reply to Damien Miller from comment #5)
> 
> Unfortunately the agent can still exec() at this point: if the user
> adds a PKCS#11 token then ssh-pkcs11-helper will be executed.
> 

Ah. Of course. I haven't been testing with a pkcs#11 token, though we
do support a few of them on Illumos, so perhaps I should see if I can
dig one up for future testing.

I have attached a v3 patch, with this fixed up so that the ssh-agent
retains the right to use exec(). I also renamed the
solaris_drop_*_privs() functions to make it a bit clearer what the 3 of
them actually are.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list