[Bug 2625] Support Capabilities for ssh client port forwarding
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 1 12:29:28 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2625
--- Comment #9 from Richard E. Silverman <res at qoxp.net> ---
Ah, I was only thinking about the client-side case, since that is how
this bug report started:
> I think openssh-client should allow use port forwarding not only for
> root user. CAP_NET_BIND_SERVICE enough to use privileged ports.
... and in fact I came across this bugzilla entry because I was about
to file one for the same problem with the client-side UsePrivilegedPort
option, which is silently turned off if the euid is not 0:
[ssh.c]
if (original_effective_uid != 0)
options.use_privileged_port = 0;
... which is similarly inaccurate.
> These are solvable, eg by temporarily_use_uid() and/or by testing
> binds during config parsing, but it's not a simple case of
> "delete those checks and YOLO".
Agreed, on the server side where privilege management is involved; I
was advocating a different approach to the problem rather than giving a
detailed, finished solution. On the client just that should be almost
enough. If we want to preserve the current behavior on the client --
that the connection succeeds anyway -- then it would try to bind the
low port, and if it gets EPERM (or any error?), retry without the
low-port restriction before giving up.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list