Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

Luke Kenneth Casson Leighton lkcl at lkcl.net
Sun May 30 22:35:07 EST 2004 

On Sun, May 30, 2004 at 09:48:31PM +1000, Damien Miller wrote:

> Luke Kenneth Casson Leighton wrote:
> > On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
> >>but it doesn't seem to do much at all - the only code change is the
> >>marking of a ssh-agent fd to be close-on-exec.
> >  
> >  that, and the inclusion of  pam_selinux.so as a required session
> >  plugin, and the setting of a security context on the DSA and
> >  RSA keys in sshd initialisation (a redhat rpm thing?)
> 
> I think we should leave these changes for the vendors of SELinux
> enabled distributions. We want the current files to work for everyone.
 
 hmm, *thinks*.

 ... redhat is going to SE/Linux "by default".

 ... debian probably isn't, so has to cater for both.

 ... therefore a separate mechanism is required - e.g. a package
     named openssh-selinux - which has one extra patch:
	 to add in pam_session.so to /etc/pam.d/ssh.

	 [ yuk! but hey, it's not for you to deal with. ]

> The files in contrib/redhat get synced from time to time. so they will
> pick up changes in their distribution (eventually).
> 
> >>Is this the patch that you are referring to?
> >  
> >   yes it is.
> > 
> >   the ssh-agent fd close-on-exec is actually a really important
> >   security bug because otherwise you end up with an open file
> >   descriptor being passed over to a process that should have no
> >   rights or use for it.
> 
> The FD in question is to /dev/null and closed anyway if it isn't
> dup'd to one of std{in.out,err} so I can't see how this achieves
> anything.
 
 well, i'd be remiss in not mentioning it to you: fortunately
 in this case it looks like it's covered.

 it'd be really helpful, however, if you _could_ apply that
 close-on-exec, because without it, it's necessary to add an
 audit "ignore" just for that file handle, which could come
 back and bite you later, or to constantly and forever apply
 that patch in all releases of an openssh'd selinux package.
 

> >   SE/Linux is really cool in that respect: the audit process
> >   logged that this file handle was being passed over to a child
> >   process, and the policy for ssh-agent said that that wasn't
> >   allowed.
> > 
> >   cool, huh? :)
> 
> Not in this case, no :)

 :)

> >   [apparently, PAM has a similar bug in /sbin/unix_verify:
> > 
> > 	   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248310
> > 
> >    but the debian maintainer for pam is being a bit of idiot
> >    and won't look at it.  sorry, mr hartmans, but it's bypass time,
> >    and your comments _are_ a matter of public record, after all]
> 
> Please don't drag SELinux fights onto our list, we have enough of
> our own.
 
 *lol*.  ack.  please ignore: it was intended for pam-list anyway.

 l.

More information about the openssh-unix-dev mailing list