pam + privileges
james at nameonthe.net
Wed Apr 30 21:47:32 EST 2003
Apologies if my attempts to subscribe bombarded this list with empty emails.
We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify
people's capabilities (Linux specific) when they log in. To do this we've
compiled openssh with
pam support and then configured pam to chroot people and alter their
(such as giving them the privilege to bind to a port below 1024). In the
used the chroot patch which works well yet using pam to chroot and grant
I've scanned through the code and it seems openssh is giving away root
very early in the pam pipeline. By the time it reaches the password /
it's given up all root privileges. The problem is the chroot and capability
pam modules apply
their changes during the pam session stage so you'd expect root to still be
in control until
the pam session stage.
Can anyone let me know if this was/is a conscious design decision?
Tel: +44 208 7415453
Fax: + 44 208 7411615
More information about the openssh-unix-dev