Re: Requirement for sshd account since 4.4p1

Hi there.

On Fri, Oct 27, 2006 at 02:29:00PM +0200, Corinna Vinschen wrote:
> On Oct 27 21:00, Darren Tucker wrote:
> > On Fri, Oct 27, 2006 at 10:36:59AM +0200, Corinna Vinschen wrote:
> > It's probably not just Solaris (any system where (seteuid(-1)) fails
> > would be affected) but that's where it was reported.
[...]
> > Maybe we could only load privsep_pw if we're running privileged?
> > set*uid is not going to work if we're not.
>
> Here's the problem: Right now there's no way to figure out whether sshd
> is running under a privileged account or not on Cygwin. The problem is
> that being privileged is bound to testing uid 0 in OpenSSH throughout.
>
> I'm asking for some years now to replace the inflexible tests for uid 0
> by a system specific function call along the lines of a
>
> bool privileged_user(uid)

I think we have discussed that in the past and I think it's a reasonable
idea (although I'd probably model it after POSIX capabilities to include
things like binding to low ports since POSIX is our nominal target)
but never had the time to pursue.

[...]
> As a short term solution I would suggest that sshd doesn't exit
> prematurely when it can't find the sshd account, but only later if it
> finds that the sshd account is required for operation, like, for instance,
> GSSAPI on Solaris, or if privilege separation is actually requested.

We ended up going with the patch below.

[...]
> > Always having the privsep uid available is useful in other cases too
> > (eg PAM, bug #1215).
>
> I see, but not all systems use PAM either ;)

That's true, but I suspect the majority do (the survey data backs me up;
54% have PAM headers and --with-pam is the second most common compile-time
option (14%) after tcpwrappers (29%) not counting path setting ones :-).


diff -u -p -r1.359 sshd.c
--- sshd.c 18 Oct 2006 12:51:31 -0000 1.359
+++ sshd.c 7 Nov 2006 00:27:29 -0000
@@ -1431,14 +1431,17 @@ main(int ac, char **av)

debug("sshd version %.100s", SSH_RELEASE);

- /* Store privilege separation user for later use */
- if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
- fatal("Privilege separation user %s does not exist",
- SSH_PRIVSEP_USER);
- memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
- privsep_pw = pwcopy(privsep_pw);
- xfree(privsep_pw->pw_passwd);
- privsep_pw->pw_passwd = xstrdup("*");
+ /* Store privilege separation user for later use if required. */
+ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ if (use_privsep || options.kerberos_authentication)
+ fatal("Privilege separation user %s does not exist",
+ SSH_PRIVSEP_USER);
+ } else {
+ memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
+ privsep_pw = pwcopy(privsep_pw);
+ xfree(privsep_pw->pw_passwd);
+ privsep_pw->pw_passwd = xstrdup("*");
+ }
endpwent();

/* load private host keys */

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev