[Bug 2625] Support Capabilities for ssh client port forwarding

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 1 12:29:28 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2625

--- Comment #9 from Richard E. Silverman <res at qoxp.net> ---
Ah, I was only thinking about the client-side case, since that is how
this bug report started:

> I think openssh-client should allow use port forwarding not only for
> root user. CAP_NET_BIND_SERVICE enough to use privileged ports.

... and in fact I came across this bugzilla entry because I was about
to file one for the same problem with the client-side UsePrivilegedPort
option, which is silently turned off if the euid is not 0:

[ssh.c]
        if (original_effective_uid != 0)
                options.use_privileged_port = 0;

... which is similarly inaccurate.

> These are solvable, eg by temporarily_use_uid() and/or by testing
> binds during config parsing, but it's not a simple case of 
> "delete those checks and YOLO".

Agreed, on the server side where privilege management is involved; I
was advocating a different approach to the problem rather than giving a
detailed, finished solution. On the client just that should be almost
enough. If we want to preserve the current behavior on the client --
that the connection succeeds anyway -- then it would try to bind the
low port, and if it gets EPERM (or any error?), retry without the
low-port restriction before giving up.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list