Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
Damien Miller
djm at mindrot.org
Sun May 30 21:48:31 EST 2004
Luke Kenneth Casson Leighton wrote:
> On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
>>but it doesn't seem to do much at all - the only code change is the
>>marking of a ssh-agent fd to be close-on-exec.
>
> that, and the inclusion of pam_selinux.so as a required session
> plugin, and the setting of a security context on the DSA and
> RSA keys in sshd initialisation (a redhat rpm thing?)
I think we should leave these changes for the vendors of SELinux
enabled distributions. We want the current files to work for everyone.
The files in contrib/redhat get synced from time to time. so they will
pick up changes in their distribution (eventually).
>>Is this the patch that you are referring to?
>
> yes it is.
>
> the ssh-agent fd close-on-exec is actually a really important
> security bug because otherwise you end up with an open file
> descriptor being passed over to a process that should have no
> rights or use for it.
The FD in question is to /dev/null and closed anyway if it isn't
dup'd to one of std{in.out,err} so I can't see how this achieves
anything.
> SE/Linux is really cool in that respect: the audit process
> logged that this file handle was being passed over to a child
> process, and the policy for ssh-agent said that that wasn't
> allowed.
>
> cool, huh? :)
Not in this case, no :)
> [apparently, PAM has a similar bug in /sbin/unix_verify:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248310
>
> but the debian maintainer for pam is being a bit of idiot
> and won't look at it. sorry, mr hartmans, but it's bypass time,
> and your comments _are_ a matter of public record, after all]
Please don't drag SELinux fights onto our list, we have enough of
our own.
-d
More information about the openssh-unix-dev
mailing list