Call for testing: OpenSSH 7.3

Corinna Vinschen vinschen at redhat.com
Sat Jul 23 02:45:55 AEST 2016


On Jul 22 23:32, Darren Tucker wrote:
> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote:
> [...]
> > Hmm.  If that only affects Cygwin, and if defines.h is not synced anyway,
> > what about getting rid of the configure stuff entirely?
> >
> > Tested counterproposal:
> 
> Looks reasonable.  It's late here so I'm going to look at it tomorrow.

Thank you.

> > As for the comment preceeding the definition, I didn't change it from
> > your text in my proposal.  However.
> >
> > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> > terms of the implementation of bindresvport_sa and rcmd.  It's not just
> > backward compatibility.  There are also applications out there which
> > still expect this value to make sense.
> 
> Fair point.
> 
> > The *real* problem here is that OpenSSH checks for uid 0 before allowing
> > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> > decide if the current user is allowed to bind that port.
> > From my POV this check in OpenSSH is gratuitious and it's the real reason
> > we have this problem at all.
> 
> In the case of sshd running with privsep off, the process doing the
> binding is still running as root and I suspect those checks date back
> to when it was always running as root.  It could probably
> temporarily_use_uid() though.

I think this is a very good idea.

As has been discussed more than once on this list, Cygwin^WWindows isn't
the only OS allowing more than a single administrativ account.
Alternatively the system supports fine-grained account-based permissions
or per-executable capabilities.

For example, think raw sockets and ping/ping6.  You don't have to be
admin to open a raw socket if the OS supports capabilities, nor does the
application has to be a setuid application, as on Linux:

  $ ls -l /usr/bin/ping
  -rwxr-xr-x 1 root root 44752 Nov 19  2015 /usr/bin/ping
  $ getcap /usr/bin/ping
  ping = cap_net_admin,cap_net_raw+ep

Checking for uid 0 only makes limited sense, and only on very
traditional UNIX systems.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160722/a338134e/attachment-0001.bin>


More information about the openssh-unix-dev mailing list