Priv Sep SSH has / as CWD
LDB
thesource at ldb-jab.org
Mon Feb 15 08:00:21 EST 2010
On 02/14/2010 03:19 PM, Dan Yefimov wrote:
> On 14.02.2010 18:59, Jon Kibler wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> This may or may not be a bug. However, it is DEFINITELY NOT how I would
>> expect and want to see sshd work!
>>
>> If you run lsof against sshd on a privilege separated user, it shows
>> that sshd's CWD is /. I would hope that the CWD would be at a minimum
>> /var/empty/sshd and I would really have thought it would be something
>> along the lines of /var/empty/sshd/USER. (In fact, lsof does not show
>> any references to /var/empty... which I assume means that it is only
>> referenced during startup??)
>>
>> I also noticed that the listener sshd also has / as its CWD. I would
>> have thought that it would have had ~root or /var/run as its CWD to
>> prevent core files from being left in / where it may be possible for
>> someone to find and pursue those files.
>>
>> Tech details of this issue follow signature paragraph.
>>
>> TIA for at least thinking about this!
>>
>> Jon Kibler
>> - --
>> Jon R. Kibler
>> Chief Technical Officer
>> Advanced Systems Engineering Technology, Inc.
>> Charleston, SC USA
>> o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
>> e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com
>> s: JonRKibler
>> http://www.linkedin.com/in/jonrkibler
>>
>> My PGP Fingerprint is:
>> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>>
>>
>>
>>
>>
>> OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>>
>> OpenSSH has been configured with the following options:
>> User binaries: /usr/local/bin
>> System binaries: /usr/local/sbin
>> Configuration files: /usr/local/etc/ssh
>> Askpass program: /usr/local/libexec/ssh-askpass
>> Manual pages: /usr/local/share/man/manX
>> PID file: /var/run
>> Privilege separation chroot path: /var/empty
>> sshd default user PATH:
>> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
>> Manpage format: doc
>> PAM support: yes
>> OSF SIA support: no
>> KerberosV support: yes
>> SELinux support: yes
>> Smartcard support: no
>> S/KEY support: no
>> TCP Wrappers support: yes
>> MD5 password support: yes
>> libedit support: no
>> Solaris process contract support: no
>> IP address in $DISPLAY hack: no
>> Translate v4 in v6 hack: yes
>> BSD Auth support: no
>> Random number source: OpenSSL internal ONLY
>>
>> Host: x86_64-unknown-linux-gnu
>> Compiler: gcc
>> Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
>> - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset
>> - -fstack-protector-all -std=gnu99
>> Preprocessor flags:
>> Linker flags: -fstack-protector-all
>> Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
>> - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
>> +for sshd: -lwrap -lpam -ldl -lselinux
>>
>> PAM is enabled. You may need to install a PAM control file
>> for sshd, otherwise password authentication may fail.
>> Example PAM control files can be found in the contrib/
>> subdirectory
>>
>>
>>
>> ===============
>> root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv]
>> kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2
>> root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd
>> ===============
>>> lsof -p 23936
>>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>>> sshd 23936 root cwd DIR 9,1 4096 2 /
>>> sshd 23936 root rtd DIR 9,1 4096 2 /
>>> sshd 23936 root txt REG 253,6 447744 1081352
>>> /usr/local/sbin/sshd (deleted)
>>> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so
>>> sshd 23936 root mem REG 9,1 1717800 65573
>>> /lib64/libc-2.5.so
>>> sshd 23936 root mem REG 9,1 37368 65723
>>> /lib64/libwrap.so.0.7.6
>>> sshd 23936 root mem REG 253,5 85608 1050003
>>> /usr/lib64/libz.so.1.2.3
>>> sshd 23936 root mem REG 9,1 247496 65887
>>> /lib64/libsepol.so.1
>>> sshd 23936 root mem REG 9,1 95464 65888
>>> /lib64/libselinux.so.1
>>> sshd 23936 root mem REG 9,1 48600 65885
>>> /lib64/libcrypt-2.5.so
>>> sshd 23936 root mem REG 9,1 114352 65884
>>> /lib64/libnsl-2.5.so
>>> sshd 23936 root mem REG 9,1 46800 65890
>>> /lib64/libpam.so.0.81.5
>>> sshd 23936 root mem REG 9,1 9472 65857
>>> /lib64/libkeyutils-1.2.so
>>> sshd 23936 root mem REG 9,1 1366208 65895
>>> /lib64/libcrypto.so.0.9.8e
>>> sshd 23936 root mem REG 9,1 10000 65894
>>> /lib64/libcom_err.so.2.1
>>> sshd 23936 root mem REG 9,1 92736 65603
>>> /lib64/libresolv-2.5.so
>>> sshd 23936 root mem REG 253,5 153624 1050086
>>> /usr/lib64/libk5crypto.so.3.1
>>> sshd 23936 root mem REG 253,5 35728 1050085
>>> /usr/lib64/libkrb5support.so.0.1
>>> sshd 23936 root mem REG 253,5 613896 1050087
>>> /usr/lib64/libkrb5.so.3.3
>>> sshd 23936 root mem REG 253,5 190976 1050089
>>> /usr/lib64/libgssapi_krb5.so.2.2
>>> sshd 23936 root mem REG 9,1 18152 65886
>>> /lib64/libutil-2.5.so
>>> sshd 23936 root mem REG 9,1 23360 65880
>>> /lib64/libdl-2.5.so
>>> sshd 23936 root mem REG 9,1 107112 65889
>>> /lib64/libaudit.so.0.0.0
>>> sshd 23936 root mem REG 9,1 53880 65588
>>> /lib64/libnss_files-2.5.so
>>> sshd 23936 root 0u CHR 1,3 1908 /dev/null
>>> sshd 23936 root 1u CHR 1,3 1908 /dev/null
>>> sshd 23936 root 2u CHR 1,3 1908 /dev/null
>>> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN)
>> ===============
>>> lsof -p 3100
>>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>>> sshd 3100 root cwd DIR 9,1 4096 2 /
>>> sshd 3100 root rtd DIR 9,1 4096 2 /
>>> sshd 3100 root txt REG 253,6 447744 1081353
>>> /usr/local/sbin/sshd (deleted)
>>> sshd 3100 root mem REG 9,1 139416 65572
>>> /lib64/ld-2.5.so
>>> sshd 3100 root mem REG 9,1 1717800 65573
>>> /lib64/libc-2.5.so
>>> sshd 3100 root mem REG 9,1 37368 65723
>>> /lib64/libwrap.so.0.7.6
>>> sshd 3100 root mem REG 253,5 85608 1050003
>>> /usr/lib64/libz.so.1.2.3
>>> sshd 3100 root mem REG 9,1 247496 65887
>>> /lib64/libsepol.so.1
>>> sshd 3100 root mem REG 9,1 95464 65888
>>> /lib64/libselinux.so.1
>>> sshd 3100 root mem REG 9,1 48600 65885
>>> /lib64/libcrypt-2.5.so
>>> sshd 3100 root mem REG 9,1 114352 65884
>>> /lib64/libnsl-2.5.so
>>> sshd 3100 root mem REG 9,1 46800 65890
>>> /lib64/libpam.so.0.81.5
>>> sshd 3100 root mem REG 9,1 9472 65857
>>> /lib64/libkeyutils-1.2.so
>>> sshd 3100 root mem REG 9,1 1366208 65895
>>> /lib64/libcrypto.so.0.9.8e
>>> sshd 3100 root mem REG 9,1 10000 65894
>>> /lib64/libcom_err.so.2.1
>>> sshd 3100 root mem REG 9,1 92736 65603
>>> /lib64/libresolv-2.5.so
>>> sshd 3100 root mem REG 253,5 153624 1050086
>>> /usr/lib64/libk5crypto.so.3.1
>>> sshd 3100 root mem REG 253,5 35728 1050085
>>> /usr/lib64/libkrb5support.so.0.1
>>> sshd 3100 root mem REG 253,5 613896 1050087
>>> /usr/lib64/libkrb5.so.3.3
>>> sshd 3100 root mem REG 253,5 190976 1050089
>>> /usr/lib64/libgssapi_krb5.so.2.2
>>> sshd 3100 root mem REG 9,1 18152 65886
>>> /lib64/libutil-2.5.so
>>> sshd 3100 root mem REG 9,1 23360 65880
>>> /lib64/libdl-2.5.so
>>> sshd 3100 root mem REG 9,1 107112 65889
>>> /lib64/libaudit.so.0.0.0
>>> sshd 3100 root mem REG 9,1 53880 65588
>>> /lib64/libnss_files-2.5.so
>>> sshd 3100 root DEL REG 0,9 3642343
>>> /dev/zero
>>> sshd 3100 root mem REG 9,1 23736 65586
>>> /lib64/libnss_dns-2.5.so
>>> sshd 3100 root mem REG 9,1 11176 65864
>>> /lib64/security/pam_tally.so
>>> sshd 3100 root mem REG 9,1 11504 65760
>>> /lib64/security/pam_env.so
>>> sshd 3100 root mem REG 9,1 48824 65797
>>> /lib64/security/pam_unix.so
>>> sshd 3100 root mem REG 253,5 40896 1049703
>>> /usr/lib64/libcrack.so.2.8.0
>>> sshd 3100 root mem REG 9,1 12272 65790
>>> /lib64/security/pam_succeed_if.so
>>> sshd 3100 root mem REG 9,1 4040 65758
>>> /lib64/security/pam_deny.so
>>> sshd 3100 root mem REG 9,1 5648 65778
>>> /lib64/security/pam_nologin.so
>>> sshd 3100 root mem REG 9,1 4416 65779
>>> /lib64/security/pam_permit.so
>>> sshd 3100 root mem REG 9,1 12928 65756
>>> /lib64/security/pam_cracklib.so
>>> sshd 3100 root mem REG 9,1 15152 65786
>>> /lib64/security/pam_selinux.so
>>> sshd 3100 root mem REG 9,1 6808 65768
>>> /lib64/security/pam_keyinit.so
>>> sshd 3100 root mem REG 9,1 15048 65770
>>> /lib64/security/pam_limits.so
>>> sshd 3100 root mem REG 9,1 6584 65773
>>> /lib64/security/pam_loginuid.so
>>> sshd 3100 root mem REG 9,1 5080 65803
>>> /lib64/security/pam_warn.so
>>> sshd 3100 root DEL REG 0,9 3642362
>>> /dev/zero
>>> sshd 3100 root 0u CHR 1,3 1908
>>> /dev/null
>>> sshd 3100 root 1u CHR 1,3 1908
>>> /dev/null
>>> sshd 3100 root 2u CHR 1,3 1908
>>> /dev/null
>>> sshd 3100 root 3u IPv4 3642329 TCP
>>> FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
>>> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket
>>> sshd 3100 root 5u CHR 5,2 778
>>> /dev/ptmx
>>> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket
>> ===============
>>> lsof -p 3102
>>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>>> sshd 3102 kiblerj cwd DIR 9,1 4096 2 /
>>> sshd 3102 kiblerj rtd DIR 9,1 4096 2 /
>>> sshd 3102 kiblerj txt REG 253,6 447744 1081353
>>> /usr/local/sbin/sshd (deleted)
>>> sshd 3102 kiblerj mem REG 9,1 139416 65572
>>> /lib64/ld-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 1717800 65573
>>> /lib64/libc-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 37368 65723
>>> /lib64/libwrap.so.0.7.6
>>> sshd 3102 kiblerj mem REG 253,5 85608 1050003
>>> /usr/lib64/libz.so.1.2.3
>>> sshd 3102 kiblerj mem REG 9,1 247496 65887
>>> /lib64/libsepol.so.1
>>> sshd 3102 kiblerj mem REG 9,1 95464 65888
>>> /lib64/libselinux.so.1
>>> sshd 3102 kiblerj mem REG 9,1 48600 65885
>>> /lib64/libcrypt-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 114352 65884
>>> /lib64/libnsl-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 46800 65890
>>> /lib64/libpam.so.0.81.5
>>> sshd 3102 kiblerj mem REG 9,1 9472 65857
>>> /lib64/libkeyutils-1.2.so
>>> sshd 3102 kiblerj mem REG 9,1 1366208 65895
>>> /lib64/libcrypto.so.0.9.8e
>>> sshd 3102 kiblerj mem REG 9,1 10000 65894
>>> /lib64/libcom_err.so.2.1
>>> sshd 3102 kiblerj mem REG 9,1 92736 65603
>>> /lib64/libresolv-2.5.so
>>> sshd 3102 kiblerj mem REG 253,5 153624 1050086
>>> /usr/lib64/libk5crypto.so.3.1
>>> sshd 3102 kiblerj mem REG 253,5 35728 1050085
>>> /usr/lib64/libkrb5support.so.0.1
>>> sshd 3102 kiblerj mem REG 253,5 613896 1050087
>>> /usr/lib64/libkrb5.so.3.3
>>> sshd 3102 kiblerj mem REG 253,5 190976 1050089
>>> /usr/lib64/libgssapi_krb5.so.2.2
>>> sshd 3102 kiblerj mem REG 9,1 18152 65886
>>> /lib64/libutil-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 23360 65880
>>> /lib64/libdl-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 107112 65889
>>> /lib64/libaudit.so.0.0.0
>>> sshd 3102 kiblerj mem REG 9,1 53880 65588
>>> /lib64/libnss_files-2.5.so
>>> sshd 3102 kiblerj DEL REG 0,9 3642343
>>> /dev/zero
>>> sshd 3102 kiblerj mem REG 9,1 23736 65586
>>> /lib64/libnss_dns-2.5.so
>>> sshd 3102 kiblerj mem REG 9,1 11176 65864
>>> /lib64/security/pam_tally.so
>>> sshd 3102 kiblerj mem REG 9,1 11504 65760
>>> /lib64/security/pam_env.so
>>> sshd 3102 kiblerj mem REG 9,1 48824 65797
>>> /lib64/security/pam_unix.so
>>> sshd 3102 kiblerj mem REG 253,5 40896 1049703
>>> /usr/lib64/libcrack.so.2.8.0
>>> sshd 3102 kiblerj mem REG 9,1 12272 65790
>>> /lib64/security/pam_succeed_if.so
>>> sshd 3102 kiblerj mem REG 9,1 4040 65758
>>> /lib64/security/pam_deny.so
>>> sshd 3102 kiblerj mem REG 9,1 5648 65778
>>> /lib64/security/pam_nologin.so
>>> sshd 3102 kiblerj mem REG 9,1 4416 65779
>>> /lib64/security/pam_permit.so
>>> sshd 3102 kiblerj mem REG 9,1 12928 65756
>>> /lib64/security/pam_cracklib.so
>>> sshd 3102 kiblerj mem REG 9,1 15152 65786
>>> /lib64/security/pam_selinux.so
>>> sshd 3102 kiblerj mem REG 9,1 6808 65768
>>> /lib64/security/pam_keyinit.so
>>> sshd 3102 kiblerj mem REG 9,1 15048 65770
>>> /lib64/security/pam_limits.so
>>> sshd 3102 kiblerj mem REG 9,1 6584 65773
>>> /lib64/security/pam_loginuid.so
>>> sshd 3102 kiblerj mem REG 9,1 5080 65803
>>> /lib64/security/pam_warn.so
>>> sshd 3102 kiblerj DEL REG 0,9 3642362
>>> /dev/zero
>>> sshd 3102 kiblerj 0u CHR 1,3 1908
>>> /dev/null
>>> sshd 3102 kiblerj 1u CHR 1,3 1908
>>> /dev/null
>>> sshd 3102 kiblerj 2u CHR 1,3 1908
>>> /dev/null
>>> sshd 3102 kiblerj 3u IPv4 3642329 TCP
>>> FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED)
>>> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382
>>> socket
>>> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389
>>> socket
>>> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe
>>> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe
>>> sshd 3102 kiblerj 8u IPv4 3642410 TCP
>>> localhost.localdomain:x11-ssh-offset (LISTEN)
>>> sshd 3102 kiblerj 9u CHR 5,2 778
>>> /dev/ptmx
>>> sshd 3102 kiblerj 11u CHR 5,2 778
>>> /dev/ptmx
>>> sshd 3102 kiblerj 12u CHR 5,2 778
>>> /dev/ptmx
>> ===============
>>
> OpenSSH has nothing to do with that. That is a kernel feature. If some
> process does chroot() while having it as a CWD, it will be shown as "/"
> by lsof just because it is root directory for that process.
In addition, if execute a "man daemon" on any newer Linux system. you will
determine that is one of the core requirements for becoming a daemon,
chdir(/). I only mention "man daemon" as an example of what becoming a
daemon requires. sshd does not necessarily use this built-in function.
LDB
More information about the openssh-unix-dev
mailing list