2.5.2p2 ssh-keyscan installed group writable?

[Damien Miller]

On Tue, 27 Mar 2001, Jason Stone wrote:

> > The correct answer for OpenSSH is, IMHO:
> > 1.  Continue to support SetUID installation
> > 	of the ssh client in order to
> > 	support rsa-rhosts auth--but perhaps
> > 	the default should transition over
> > 	to non-SetUID (with a big warning note!)
>
> It was certainly important in the beginning for ssh to be a drop-in
> replacement for rsh, but I think that it's less true now.  I think it may
> be acceptable to have ssh no be setuid by default and include a note in
> the docs/manpage/config saying, "type 'chmod 4711 ssh' if you want to use
> rsh."

.rhosts authentication will always require root (or some other way to
get a low-numbered source port).

rhosts-rsa auth doesn't need root. It could follow what ssh.com's ssh
protocol implementation does and execute a small challenge signing
program which has access to the host key.

The mechanics of how this hangs together (sgid ssh, suid ssh-signer) are
left to whomever sends us the patch to implement it :)

> > 2.  Install *all* executables (not just SetUID)
> > 	as mode 511 (or 4511 if appropriate).
> >
> > 	I know of at least one system where
> > 	when given a user-level account on this
> > 	supposedly-secure system, it took me
> > 	less than 20 minutes to [...] take root.
>
> I feel ambivalent on this one.  It would obscure stuff for you a little
> bit, and every little bit helps, but the binaries are usually standard and
> the user can get copies by other means, and smart users may have
> legitimate uses for reading the binaries (I know that I frequently do).

There has been one legimitate reason for keeping the 'r' bits off the
executables - some (broken) older system don't drop ptrace for suid
binaries unless the on-disk copies are not readable.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer