[Bug 2625] Support Capabilities for ssh client port forwarding

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 1 10:50:38 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2625

--- Comment #8 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Richard E. Silverman from comment #7)
> This should be addressed, but I disagree with the proposed solution
> here. The real problem is not that ssh checks its euid

Well it checks the uid of the user logging in, which may or may not be
the euid of the process.

In the case where sshd is running with UsePrivilegeSeparation=no the
process making the bind() calls is running as root even when handling
non-root logins.  Similarly ssh can be installed setuid, although it's
not common any more.  If you don't have some kind of check (or do
temporarily_use_uid()), well, things like
https://bugs.chromium.org/p/project-zero/issues/detail?id=1010 happen.

Currently these errors are currently caught at config parse time.  Your
proposal wouldn't detect them until later when the connection was
already up.

These are solvable, eg by temporarily_use_uid() and/or by testing binds
during config parsing, but it's not a simple case of "delete those
checks and YOLO".

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list