Re: getpeereid

This is a discussion on Re: getpeereid within the OpenSSH Development forums, part of the Networking and Network Related category; Darren Tucker wrote: > Corinna Vinschen wrote: >> ? Is there any good reason why root should be able to ...

		Usenet Forums > Networking and Network Related > OpenSSH Development
Re: getpeereid

LinkBack

Thread Tools

Display Modes

#1 (permalink)

02-23-2005

Darren Tucker

Posts: n/a

Re: getpeereid

Darren Tucker wrote:
> Corinna Vinschen wrote:
>> ? Is there any good reason why root should be able to connect to the
>> ssh-agent of a user? What is that reason?
>
> ssh is setuid root in some configurations (eg for
> RhostsRSAAuthentication, UsePrivilegedPort).

Hmm, on the other hand, ssh should have dropped privs by that point anyway.

On the other, other hand, it doesn't buy any additional protection since
all root has to do is "su user -c ssh whatever".

Maybe it's to allow the use of the agent when someone su's (or sudo's) to
root? The cvs log on ssh-agent.c (rev 1.113) says:

- markus@cvs.openbsd.org 2002/10/01 20:34:12
[ssh-agent.c]
allow root to access the agent, since there is no protection from root.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev

« Previous Thread | Next Thread »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are Off [IMG] code is Off HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

All times are GMT +1. The time now is 01:03 AM.