Priv Sep SSH has / as CWD
Dan Yefimov
dan at lightwave.net.ru
Mon Feb 15 07:19:13 EST 2010
On 14.02.2010 18:59, Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> This may or may not be a bug. However, it is DEFINITELY NOT how I would
> expect and want to see sshd work!
>
> If you run lsof against sshd on a privilege separated user, it shows
> that sshd's CWD is /. I would hope that the CWD would be at a minimum
> /var/empty/sshd and I would really have thought it would be something
> along the lines of /var/empty/sshd/USER. (In fact, lsof does not show
> any references to /var/empty... which I assume means that it is only
> referenced during startup??)
>
> I also noticed that the listener sshd also has / as its CWD. I would
> have thought that it would have had ~root or /var/run as its CWD to
> prevent core files from being left in / where it may be possible for
> someone to find and pursue those files.
>
> Tech details of this issue follow signature paragraph.
>
> TIA for at least thinking about this!
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
> e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com
> s: JonRKibler
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
>
>
>
> OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>
> OpenSSH has been configured with the following options:
> User binaries: /usr/local/bin
> System binaries: /usr/local/sbin
> Configuration files: /usr/local/etc/ssh
> Askpass program: /usr/local/libexec/ssh-askpass
> Manual pages: /usr/local/share/man/manX
> PID file: /var/run
> Privilege separation chroot path: /var/empty
> sshd default user PATH:
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
> Manpage format: doc
> PAM support: yes
> OSF SIA support: no
> KerberosV support: yes
> SELinux support: yes
> Smartcard support: no
> S/KEY support: no
> TCP Wrappers support: yes
> MD5 password support: yes
> libedit support: no
> Solaris process contract support: no
> IP address in $DISPLAY hack: no
> Translate v4 in v6 hack: yes
> BSD Auth support: no
> Random number source: OpenSSL internal ONLY
>
> Host: x86_64-unknown-linux-gnu
> Compiler: gcc
> Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
> - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset
> - -fstack-protector-all -std=gnu99
> Preprocessor flags:
> Linker flags: -fstack-protector-all
> Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
> - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
> +for sshd: -lwrap -lpam -ldl -lselinux
>
> PAM is enabled. You may need to install a PAM control file
> for sshd, otherwise password authentication may fail.
> Example PAM control files can be found in the contrib/
> subdirectory
>
>
>
> ===============
> root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv]
> kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2
> root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd
> ===============
>> lsof -p 23936
>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>> sshd 23936 root cwd DIR 9,1 4096 2 /
>> sshd 23936 root rtd DIR 9,1 4096 2 /
>> sshd 23936 root txt REG 253,6 447744 1081352 /usr/local/sbin/sshd (deleted)
>> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so
>> sshd 23936 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so
>> sshd 23936 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6
>> sshd 23936 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3
>> sshd 23936 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1
>> sshd 23936 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1
>> sshd 23936 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so
>> sshd 23936 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so
>> sshd 23936 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5
>> sshd 23936 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so
>> sshd 23936 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e
>> sshd 23936 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1
>> sshd 23936 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so
>> sshd 23936 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1
>> sshd 23936 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1
>> sshd 23936 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3
>> sshd 23936 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2
>> sshd 23936 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so
>> sshd 23936 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so
>> sshd 23936 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0
>> sshd 23936 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so
>> sshd 23936 root 0u CHR 1,3 1908 /dev/null
>> sshd 23936 root 1u CHR 1,3 1908 /dev/null
>> sshd 23936 root 2u CHR 1,3 1908 /dev/null
>> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN)
> ===============
>> lsof -p 3100
>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>> sshd 3100 root cwd DIR 9,1 4096 2 /
>> sshd 3100 root rtd DIR 9,1 4096 2 /
>> sshd 3100 root txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted)
>> sshd 3100 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so
>> sshd 3100 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so
>> sshd 3100 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6
>> sshd 3100 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3
>> sshd 3100 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1
>> sshd 3100 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1
>> sshd 3100 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so
>> sshd 3100 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so
>> sshd 3100 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5
>> sshd 3100 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so
>> sshd 3100 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e
>> sshd 3100 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1
>> sshd 3100 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so
>> sshd 3100 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1
>> sshd 3100 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1
>> sshd 3100 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3
>> sshd 3100 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2
>> sshd 3100 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so
>> sshd 3100 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so
>> sshd 3100 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0
>> sshd 3100 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so
>> sshd 3100 root DEL REG 0,9 3642343 /dev/zero
>> sshd 3100 root mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so
>> sshd 3100 root mem REG 9,1 11176 65864 /lib64/security/pam_tally.so
>> sshd 3100 root mem REG 9,1 11504 65760 /lib64/security/pam_env.so
>> sshd 3100 root mem REG 9,1 48824 65797 /lib64/security/pam_unix.so
>> sshd 3100 root mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0
>> sshd 3100 root mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so
>> sshd 3100 root mem REG 9,1 4040 65758 /lib64/security/pam_deny.so
>> sshd 3100 root mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so
>> sshd 3100 root mem REG 9,1 4416 65779 /lib64/security/pam_permit.so
>> sshd 3100 root mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so
>> sshd 3100 root mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so
>> sshd 3100 root mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so
>> sshd 3100 root mem REG 9,1 15048 65770 /lib64/security/pam_limits.so
>> sshd 3100 root mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so
>> sshd 3100 root mem REG 9,1 5080 65803 /lib64/security/pam_warn.so
>> sshd 3100 root DEL REG 0,9 3642362 /dev/zero
>> sshd 3100 root 0u CHR 1,3 1908 /dev/null
>> sshd 3100 root 1u CHR 1,3 1908 /dev/null
>> sshd 3100 root 2u CHR 1,3 1908 /dev/null
>> sshd 3100 root 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
>> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket
>> sshd 3100 root 5u CHR 5,2 778 /dev/ptmx
>> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket
> ===============
>> lsof -p 3102
>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>> sshd 3102 kiblerj cwd DIR 9,1 4096 2 /
>> sshd 3102 kiblerj rtd DIR 9,1 4096 2 /
>> sshd 3102 kiblerj txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted)
>> sshd 3102 kiblerj mem REG 9,1 139416 65572 /lib64/ld-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 1717800 65573 /lib64/libc-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6
>> sshd 3102 kiblerj mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3
>> sshd 3102 kiblerj mem REG 9,1 247496 65887 /lib64/libsepol.so.1
>> sshd 3102 kiblerj mem REG 9,1 95464 65888 /lib64/libselinux.so.1
>> sshd 3102 kiblerj mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5
>> sshd 3102 kiblerj mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so
>> sshd 3102 kiblerj mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e
>> sshd 3102 kiblerj mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1
>> sshd 3102 kiblerj mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so
>> sshd 3102 kiblerj mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1
>> sshd 3102 kiblerj mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1
>> sshd 3102 kiblerj mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3
>> sshd 3102 kiblerj mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2
>> sshd 3102 kiblerj mem REG 9,1 18152 65886 /lib64/libutil-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 23360 65880 /lib64/libdl-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0
>> sshd 3102 kiblerj mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so
>> sshd 3102 kiblerj DEL REG 0,9 3642343 /dev/zero
>> sshd 3102 kiblerj mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so
>> sshd 3102 kiblerj mem REG 9,1 11176 65864 /lib64/security/pam_tally.so
>> sshd 3102 kiblerj mem REG 9,1 11504 65760 /lib64/security/pam_env.so
>> sshd 3102 kiblerj mem REG 9,1 48824 65797 /lib64/security/pam_unix.so
>> sshd 3102 kiblerj mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0
>> sshd 3102 kiblerj mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so
>> sshd 3102 kiblerj mem REG 9,1 4040 65758 /lib64/security/pam_deny.so
>> sshd 3102 kiblerj mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so
>> sshd 3102 kiblerj mem REG 9,1 4416 65779 /lib64/security/pam_permit.so
>> sshd 3102 kiblerj mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so
>> sshd 3102 kiblerj mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so
>> sshd 3102 kiblerj mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so
>> sshd 3102 kiblerj mem REG 9,1 15048 65770 /lib64/security/pam_limits.so
>> sshd 3102 kiblerj mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so
>> sshd 3102 kiblerj mem REG 9,1 5080 65803 /lib64/security/pam_warn.so
>> sshd 3102 kiblerj DEL REG 0,9 3642362 /dev/zero
>> sshd 3102 kiblerj 0u CHR 1,3 1908 /dev/null
>> sshd 3102 kiblerj 1u CHR 1,3 1908 /dev/null
>> sshd 3102 kiblerj 2u CHR 1,3 1908 /dev/null
>> sshd 3102 kiblerj 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
>> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 socket
>> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 socket
>> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe
>> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe
>> sshd 3102 kiblerj 8u IPv4 3642410 TCP localhost.localdomain:x11-ssh-offset (LISTEN)
>> sshd 3102 kiblerj 9u CHR 5,2 778 /dev/ptmx
>> sshd 3102 kiblerj 11u CHR 5,2 778 /dev/ptmx
>> sshd 3102 kiblerj 12u CHR 5,2 778 /dev/ptmx
> ===============
>
OpenSSH has nothing to do with that. That is a kernel feature. If some process
does chroot() while having it as a CWD, it will be shown as "/" by lsof just
because it is root directory for that process.
--
Sincerely Yours, Dan.
More information about the openssh-unix-dev
mailing list