[Bug 2885] sshd is not using chroot and privsep on default cygwin install any more

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Aug 2 19:24:04 AEST 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2885

--- Comment #4 from Corinna Vinschen <vinschen at redhat.com> ---
Privsep never worked fully on Cygwin.  It uses descriptor passing via
AF_UNIX sockets which isn't implemented in Cygwin (yet).

So when privsep was introduced, only one half of it got used on Cygwin.
The problem is, I don't remember which part of it.

Either way, I checked the source history and it seems the code
in question here (preauth) was never used on Cygwin anyway.  The
getuid==0 check exists since 2002.

Second problem is that permanently_set_uid() is a fake on Cygwin.
Permanently changing the uid/gid only works when exec'ing a new
process.  It's never permanent while still in the same process.
This is a limitation of the Windows authorization model.

Above all, chroot is a concept not supported by Windows anyway.
Therefore the chroot emulation of Cygwin does not actually
add any security since applications can easily work around it
by using native Windows API calls rather than just Cygwin
POSIX calls, as is well-known.

Bottom line is, I'm not sure what to do here.  Preauth privsep
is not really well supportable on Cygwin.  Probably the best way
out is to remove any Cygwin-specific code here and tell the user
that this is not supported on Cygwin.

THis shouldn't affect the other part of privsep, though.


Corinna

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list