[Bug 2625] Support Capabilities for ssh client port forwarding

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 1 10:04:28 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2625

Richard E. Silverman <res at qoxp.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |res at qoxp.net

--- Comment #7 from Richard E. Silverman <res at qoxp.net> ---
Hello,

This should be addressed, but I disagree with the proposed solution
here. The real problem is not that ssh checks its euid -- it is that
ssh tries to guess whether the kernel will allow it to bind a low port,
but cannot in principle know what is required for that; that's the
kernel's job, and will change depending on the security facilities in
use on a particular system. It's like refusing to try to open a file if
the mode bits don't seem to allow you to: maybe an ACL would allow it.
Or deciding that you must be able to open the file, but then finding
that you can't because SELinux is enabled, and the policy blocks it.
Programs should not second-guess the kernel: ssh should just try to
bind the port, and report the result.

Pleasantly, this also gets rid of all the issues discussed here around
the usage of libcap etc.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list