preauth privsep logging via monitor

Corinna Vinschen vinschen at redhat.com
Fri Jun 24 01:33:25 EST 2011 

On Jun 23 21:34, Damien Miller wrote:
> On Tue, 21 Jun 2011, Damien Miller wrote:
> 
> > > This would break running ssh on Cygwin which still lacks descriptor passing
> > > via sendmsg/recvmsg.
> > > 
> > > Out of curiosity, do you see a way to implement the privsep child
> > > without the need for descriptor passing?  Maybe by passing the data over
> > > the socket instead of by passing the descriptor to the data?
> > 
> > That's possible but would add a bit of complexity to the monitor - right
> > now it operates synchronously on two fds, but if it were to process
> > network traffic too then it would need a non-blocking mainloop of its own.
> 
> Actually, fd passing is only used by the post-auth monitor. So it should
> be possible to enable pre-auth privsep on Cygwin if it isn't already.

Yes, preauth privsep works already.

> The sandbox may help too if Cygwin support setrlimit().

I didn't test your latest changes so far.  Sadly, setrlimit support is
...limited.  Right now Cygwin only supports setting RLIMIT_CORE and
RLIMIT_NOFILE and both are more or less faked.  You can't set the NOFILE
limit lower than the current internal file table size.  The call
succeeds, but the size of the table is not reduced.  There's also no
OS support for this functionality, so malicious code would always be
able to open and create files using the underlying OS functions, within
the bounds of the user's permissions.

> If there are stronger sandboxing primitives available then we could
> write a sandbox-cygwin.c to take advantage of them.

Hmm, I have to think about that.  I'm not sure if the security models
match enough to do something useful.  Typically the sshd account should
be set up to have not much rights anyway.  A normal user account has
only a bare minimum user token, so there's not much to gain by dropping
privileges from the token.  Maybe we could drop some groups, or we could
lower the integrity level of the process on Vista and later, but I'm not
sure if that's feasible.

> Unfortunately, the fds that are passed between the post-auth monitor and
> its user-privilege child are ptys and these are not as amenable to basic
> shuffling data back and forth as network sockets.

Ptys are just named pipes in Cygwin since Windows lacks native pty
support.

Anyway, I would be more glad if I had a good idea how to implement
descriptor passing in Cygwin instead.


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

More information about the openssh-unix-dev mailing list