Call for testing: OpenSSH 7.3
Corinna Vinschen
vinschen at redhat.com
Sat Jul 23 02:45:55 AEST 2016
On Jul 22 23:32, Darren Tucker wrote:
> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote:
> [...]
> > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
> > what about getting rid of the configure stuff entirely?
> >
> > Tested counterproposal:
>
> Looks reasonable. It's late here so I'm going to look at it tomorrow.
Thank you.
> > As for the comment preceeding the definition, I didn't change it from
> > your text in my proposal. However.
> >
> > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> > terms of the implementation of bindresvport_sa and rcmd. It's not just
> > backward compatibility. There are also applications out there which
> > still expect this value to make sense.
>
> Fair point.
>
> > The *real* problem here is that OpenSSH checks for uid 0 before allowing
> > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> > decide if the current user is allowed to bind that port.
> > From my POV this check in OpenSSH is gratuitious and it's the real reason
> > we have this problem at all.
>
> In the case of sshd running with privsep off, the process doing the
> binding is still running as root and I suspect those checks date back
> to when it was always running as root. It could probably
> temporarily_use_uid() though.
I think this is a very good idea.
As has been discussed more than once on this list, Cygwin^WWindows isn't
the only OS allowing more than a single administrativ account.
Alternatively the system supports fine-grained account-based permissions
or per-executable capabilities.
For example, think raw sockets and ping/ping6. You don't have to be
admin to open a raw socket if the OS supports capabilities, nor does the
application has to be a setuid application, as on Linux:
$ ls -l /usr/bin/ping
-rwxr-xr-x 1 root root 44752 Nov 19 2015 /usr/bin/ping
$ getcap /usr/bin/ping
ping = cap_net_admin,cap_net_raw+ep
Checking for uid 0 only makes limited sense, and only on very
traditional UNIX systems.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160722/a338134e/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list