[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    privsep in ssh
From:       Russell Coker <russell () coker ! com ! au>
Date:       2003-09-19 2:22:15
[Download RAW message or body]

#ifdef DISABLE_FD_PASSING
        if (1) {
#else
        if (authctxt->pw->pw_uid == 0 || options.use_login) {
#endif
                /* File descriptor passing is broken or root login */
                monitor_apply_keystate(pmonitor);
                use_privsep = 0;
                return;
        }

When browsing the ssh source I noticed the above in sshd.c.  It appears from a 
casual inspection that we should change this and remove the check for
pw_uid == 0.  Logging in as root in SE Linux does not mean that we have full 
administrative privs, so I think that we should have privsep enabled all the 
time.

I have compiled a sshd with privsep for root logins and it seems to work fine.

I have attached the patch against ssh 3.6.1p2, I expect that the same thing 
would be necessary in 3.7.1 and the same patch probably applies (but I 
haven't checked).

I believe that this patch is worthy of inclusion in the standard distribution 
of ssh.  The only drawback is that it uses a small amount of extra CPU power 
for root logins, and on systems such as SE Linux it provides security 
benefits.

Anyone who wants to use the SE Linux PAM module for sshd probably wants this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

["diff" (text/x-diff)]

--- orig/openssh-3.6.1p2/sshd.c	2003-09-18 15:16:41.000000000 +1000
+++ openssh-3.6.1p2/sshd.c	2003-09-19 12:00:15.000000000 +1000
@@ -636,7 +636,7 @@
 #ifdef DISABLE_FD_PASSING
 	if (1) {
 #else
-	if (authctxt->pw->pw_uid == 0 || options.use_login) {
+	if (options.use_login) {
 #endif
 		/* File descriptor passing is broken or root login */
 		monitor_apply_keystate(pmonitor);

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[prev in list] [next in list] [prev in thread] [next in thread]