Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

Damien Miller djm at mindrot.org
Mon May 31 08:00:24 EST 2004


Luke Kenneth Casson Leighton wrote:

>  it'd be really helpful, however, if you _could_ apply that
>  close-on-exec, because without it, it's necessary to add an
>  audit "ignore" just for that file handle, which could come
>  back and bite you later, or to constantly and forever apply
>  that patch in all releases of an openssh'd selinux package.

Adding the close-on-exec would be incorrect: you would end up
with one of std(in,out,err) closed rather than pointing to
/dev/null upon exec. There have been security vulnerabilities in
the past that have been caused by this state of affairs.

Surely it would make more sense to fix the audit policy.

-d




More information about the openssh-unix-dev mailing list