pam + privileges

Nick Lange nicklange at wi.rr.com
Thu May 1 01:24:08 EST 2003 

James,
   the chroot patch I wrote for 3.5p1 (and am in the process of deploying for 
3.6 series) works with PAM and privsep. dunno if it helps your particular 
situation or not.
http://majikal.dyn.dhs.org/projekts/openssh_chroot_patch/
cheers,
nick

P.S. anyone seen any recent file transfer patches logging for sftp / scp? 
(Before I write one myself.)

James Williamson wrote:
>>James Williamson wrote:
>>
>>>Hi,
>>>
>>>Apologies if my attempts to subscribe bombarded this list with empty
> 
> emails.
> 
>>>We're running openssh 3.6.1p1 on Linux i386 and  need to chroot and
> 
> modify
> 
>>>people's capabilities (Linux specific) when they log in. To do this
> 
> we've
> 
>>>compiled openssh with
>>>pam support and then configured pam to chroot people and alter their
>>>capabilities
>>>(such as giving them the privilege to bind to a port below 1024). In the
>>>past we've
>>>used the chroot patch which works well yet using pam to chroot and grant
>>>capabilities fail.
>>>
>>>I've scanned through the code and it seems openssh is giving away root
>>>privilege
>>>very early in the pam pipeline.  By the time it reaches the password /
>>>session stages
>>>it's given up all root privileges. The problem is the chroot and
> 
> capability
> 
>>>pam modules apply
>>>their changes during the pam session stage so you'd expect root to still
> 
> be
> 
>>>in control until
>>>the pam session stage.
>>>
>>>Can anyone let me know if this was/is a conscious design decision?
>>
>>Absolutely, our goal is to have as little as possible code running with
>>root privileges.
>>
>>Whether pam_session should run with root is a matter of debate though.
>>Have a look through bugzilla.mindrot.org, there is a bug open for this.
>>
> 
> 
> Thanks,
> 
> I've had a look at the 'bug'. Rather than using setuid, why not use
> setreuid or seteuid to temporarily give up privileges? This is how sendmail
> handles the 'run as root as infrequently as possible' issue. If I write a
> patch
> is it likely to be accepted?
> 
> Regards,
> 
> James Williamson
> www.nameonthe.net
> Tel: +44 208 7415453
> Fax: + 44 208 7411615
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list