Priv Sep SSH has / as CWD

Jon Kibler Jon.Kibler at aset.com
Mon Feb 15 11:04:22 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Thanks for your reply.

Looking at the man pages for sshd and sshd_config, it is not 100% clear
that when privilege separation occurs that the daemon is chrooted to
/var/empty (or elsewhere). However, that makes sense. Thanks for the
clarification. It would be good if that information got included in the
man pages.

Regarding the sshd listener running in "/" and world readable core
files... unfortunately, that is the way that RHEL/CentOS is configured.
In the "functions" for init (/etc/init.d/functions), one of the first
steps is to set 'umask 022'. I have tried to change this in the past
only to have stuff break. I have also tried setting permissions on "/"
to 751 and also broke stuff. Thus, for daemons that run with "/" as
their home directory, we can get core files in "/" that are world
readable. I do not like it, but that is the RHEL environment I have to
live with. :-(

This leaves me with 2 questions:
   1) Can I change the init script for sshd to set umask to '077'
without breaking stuff?
   2) If I put 'cd /var/run' in the init script before sshd starts, will
it actually run from /var/run without breaking stuff?

Thanks for your help! Good information.

Jon Kibler


On 2/14/10 4:10 PM, Damien Miller wrote:
> On Sun, 14 Feb 2010, Jon Kibler wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> This may or may not be a bug. However, it is DEFINITELY NOT how I would
>> expect and want to see sshd work!
>>
>> If you run lsof against sshd on a privilege separated user, it shows
>> that sshd's CWD is /. I would hope that the CWD would be at a minimum
>> /var/empty/sshd and I would really have thought it would be something
>> along the lines of /var/empty/sshd/USER. (In fact, lsof does not show
>> any references to /var/empty... which I assume means that it is only
>> referenced during startup??)
> 
> cwd is relative to the chroot directory. Remember what chroot does?
> 
>> I also noticed that the listener sshd also has / as its CWD. I would
>> have thought that it would have had ~root or /var/run as its CWD to
>> prevent core files from being left in / where it may be possible for
>> someone to find and pursue those files.
> 
> chdir(/) is the normal behaviour of daemon programs. If your system writes
> .core files with world-readable permissions then your have bigger problems. 
> 
> -d


- -- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com
s: JonRKibler
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt4j4YACgkQUVxQRc85QlOOfQCgnDUZZbekm5x4PuhosPKIRoWd
IMQAn2lxwxXr5O85kCyYKN8LBdRFc7U3
=gda8
-----END PGP SIGNATURE-----


More information about the openssh-unix-dev mailing list