pam + privileges

James Williamson james at nameonthe.net
Wed Apr 30 23:07:33 EST 2003


> James Williamson wrote:
> > Hi,
> >
> > Apologies if my attempts to subscribe bombarded this list with empty
emails.
> >
> > We're running openssh 3.6.1p1 on Linux i386 and  need to chroot and
modify
> > people's capabilities (Linux specific) when they log in. To do this
we've
> > compiled openssh with
> > pam support and then configured pam to chroot people and alter their
> > capabilities
> > (such as giving them the privilege to bind to a port below 1024). In the
> > past we've
> > used the chroot patch which works well yet using pam to chroot and grant
> > capabilities fail.
> >
> > I've scanned through the code and it seems openssh is giving away root
> > privilege
> > very early in the pam pipeline.  By the time it reaches the password /
> > session stages
> > it's given up all root privileges. The problem is the chroot and
capability
> > pam modules apply
> > their changes during the pam session stage so you'd expect root to still
be
> > in control until
> > the pam session stage.
> >
> > Can anyone let me know if this was/is a conscious design decision?
>
> Absolutely, our goal is to have as little as possible code running with
> root privileges.
>
> Whether pam_session should run with root is a matter of debate though.
> Have a look through bugzilla.mindrot.org, there is a bug open for this.
>

Thanks,

I've had a look at the 'bug'. Rather than using setuid, why not use
setreuid or seteuid to temporarily give up privileges? This is how sendmail
handles the 'run as root as infrequently as possible' issue. If I write a
patch
is it likely to be accepted?

Regards,

James Williamson
www.nameonthe.net
Tel: +44 208 7415453
Fax: + 44 208 7411615










More information about the openssh-unix-dev mailing list