pam + privileges
Damien Miller
djm at mindrot.org
Wed Apr 30 21:55:06 EST 2003
James Williamson wrote:
> Hi,
>
> Apologies if my attempts to subscribe bombarded this list with empty emails.
>
> We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify
> people's capabilities (Linux specific) when they log in. To do this we've
> compiled openssh with
> pam support and then configured pam to chroot people and alter their
> capabilities
> (such as giving them the privilege to bind to a port below 1024). In the
> past we've
> used the chroot patch which works well yet using pam to chroot and grant
> capabilities fail.
>
> I've scanned through the code and it seems openssh is giving away root
> privilege
> very early in the pam pipeline. By the time it reaches the password /
> session stages
> it's given up all root privileges. The problem is the chroot and capability
> pam modules apply
> their changes during the pam session stage so you'd expect root to still be
> in control until
> the pam session stage.
>
> Can anyone let me know if this was/is a conscious design decision?
Absolutely, our goal is to have as little as possible code running with
root privileges.
Whether pam_session should run with root is a matter of debate though.
Have a look through bugzilla.mindrot.org, there is a bug open for this.
-d
More information about the openssh-unix-dev
mailing list