pam + privileges
James Williamson
james at nameonthe.net
Wed Apr 30 21:47:32 EST 2003
Hi,
Apologies if my attempts to subscribe bombarded this list with empty emails.
We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify
people's capabilities (Linux specific) when they log in. To do this we've
compiled openssh with
pam support and then configured pam to chroot people and alter their
capabilities
(such as giving them the privilege to bind to a port below 1024). In the
past we've
used the chroot patch which works well yet using pam to chroot and grant
capabilities fail.
I've scanned through the code and it seems openssh is giving away root
privilege
very early in the pam pipeline. By the time it reaches the password /
session stages
it's given up all root privileges. The problem is the chroot and capability
pam modules apply
their changes during the pam session stage so you'd expect root to still be
in control until
the pam session stage.
Can anyone let me know if this was/is a conscious design decision?
Regards,
James Williamson
www.nameonthe.net
Tel: +44 208 7415453
Fax: + 44 208 7411615
More information about the openssh-unix-dev
mailing list