[Bug 2511] Drop fine-grained privileges on Illumos/Solaris
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 20:44:14 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2511
Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2771|0 |1
is obsolete| |
--- Comment #8 from Alex Wilson <alex+mailinglists_openssh-dev at cooperi.net> ---
Created attachment 2772
--> https://bugzilla.mindrot.org/attachment.cgi?id=2772&action=edit
patch-v4
One last amendment, after a colleague reminded me of a fix that I
should have merged into this patch.
It fixes the case where a user (for some reason) decides they want to
let sftp-server log in as root and they wish to have root's ability to
read and write any file on the system. Privilege code that starts with
priv_basicset() implicitly drops all of root's special rights
(including these "DAC" filesystem rights), so this amendment changes
the sftp-server to explicitly retain those particular parts of root (if
it has them) while still dropping everything else.
As I understand it, the other places this patch injects priv drops (for
the ssh-agent, client mux and daemon sandbox) are fine with dropping
all special root abilities if they are started with any of them, so
those functions don't need to change.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list