Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

Luke Kenneth Casson Leighton lkcl at lkcl.net
Mon May 31 05:17:36 EST 2004


On Sun, May 30, 2004 at 12:57:27PM -0500, Ben Lindstrom wrote:
 
> On Sun, 30 May 2004, Luke Kenneth Casson Leighton wrote:
> 
> > > >   the ssh-agent fd close-on-exec is actually a really important
> > > >   security bug because otherwise you end up with an open file
> > > >   descriptor being passed over to a process that should have no
> > > >   rights or use for it.
> > >
> > > The FD in question is to /dev/null and closed anyway if it isn't
> > > dup'd to one of std{in.out,err} so I can't see how this achieves
> > > anything.
> >
> >  well, i'd be remiss in not mentioning it to you: fortunately
> >  in this case it looks like it's covered.
> >
> >  it'd be really helpful, however, if you _could_ apply that
> >  close-on-exec, because without it, it's necessary to add an
> >  audit "ignore" just for that file handle, which could come
> >  back and bite you later, or to constantly and forever apply
> >  that patch in all releases of an openssh'd selinux package.
> >
> 
> Why not just fix the auditing software to understand the fact that the FD
> is /dev/null?  

 it's a good question, and one that i am (personally) not qualified
 to answer, however i know that the people on the selinux mailing list
 are (scott or russell).
 
 ... but you no doubt know that what you're asking is going
 to involve kernel modifications.

 bearing in mind that i don't fully appreciate all the issues,
 i would ask you to consider this: are you _really_ sure you
 want to ask for a special-case kernel-level hack to deal with
 opening /dev/null?

 and if the linux kernel developers noticed such an addition, how
 do you think they would react?

 the auditing is going on in the kernel, not in user-space, in
 one of these newfangled "security capabilities" modules.


 help help, does anyone know better than my flounderings as to what
 the issues are, here?

 l.

 p.s. if cc'ing to the openssh list, don't send _anything_ with
 html tags in it, even small code fragments like .sigs with
 less than a href blah blah greater than because their list
 server will reject your message.

 




More information about the openssh-unix-dev mailing list