[Bug 2276] AuthorizedKeysCommand: add an option for alternate owner

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Mar 4 17:57:06 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2276

--- Comment #7 from Alon Bar-Lev <alon.barlev at gmail.com> ---
(In reply to Damien Miller from comment #6)
> (In reply to Alon Bar-Lev from comment #2)
> > (In reply to Damien Miller from comment #1)
> > > I think it would be reasonable to relax the permission check to
> > > allow the command to be owned by the user who started sshd as well
> > > as root. I don't think another option is warranted or necessary.
> > 
> > I thought that the original code was designed to block the user that
> > ssh into local to modify the command, I did not want to violate this
> > restriction.
> > 
> > Did I understand incorrectly why we limit ownership?
> 
> That is indeed the intent, and allowing the user who started sshd in
> addition to root doesn't violate it.

I am very sorry, but must understand that fully.

If I start sshd using unprivileged user let's say sshuser, the sshd
cannot setuid, so it is left within sshuser context, and be able to
modify the authorized keys command as it is the owner.

Doesn't it violates the original intention?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list