Subject: Re: setuid ssh
To: Andrew Brown <atatat@atatdot.net>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 10/20/2000 23:39:56
by mail.netbsd.org with SMTP; 21 Oct 2000 03:40:18 -0000
via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
(sender: <woods@proven.weird.com>) (ident <[RbeTGZjGnjzC+dqHYp8A3iH7vivq21u6]> using rfc1413)
id <m13mpVq-000gCBC@most.weird.com>
for <tech-security@netbsd.org>; Fri, 20 Oct 2000 23:40:02 -0400 (EDT)
(Smail-3.2.0.112-Pre 2000-Feb-17 #1 built 2000-Oct-4)
id B6EB94; Fri, 20 Oct 2000 23:39:56 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: Andrew Brown <atatat@atatdot.net>
Cc: NetBSD Security Technical Discussion List <tech-security@netbsd.org>
Subject: Re: setuid ssh
In-Reply-To: <20001020163146.A5721@noc.untraceable.net>
References: <20001018135225.A7705@antioche.lip6.fr>
<Pine.NEB.4.21.0010181440492.6544-100000@agnostic.union.cynic.net>
<20001020182702.E976D4@proven.weird.com>
<20001020143456.A4739@noc.untraceable.net>
<20001020191842.BE4324@proven.weird.com>
<20001020163146.A5721@noc.untraceable.net>
Reply-To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Organization: Planix, Inc.; Toronto, Ontario; Canada
Message-Id: <20001021033956.B6EB94@proven.weird.com>
Date: Fri, 20 Oct 2000 23:39:56 -0400 (EDT)
[ On Friday, October 20, 2000 at 16:31:46 (-0400), Andrew Brown wrote: ]
> Subject: Re: setuid ssh
>
> then what's wrong with doing *all* things things (yes, both of them)
> right at the beginning of main, before *anything else*
>
> if (geteuid() != getuid() || getegid() != getgid()) {
> do_root_stuff_now();
> setuid(getuid());
> setgid(getgid());
> }
>
> no? then you *have* the port if you need it, and you *have* the host
> key if you need it. of course, they'd both get thrown away as soon as
> it was known that they weren't needed.
Well, assuming you're careful with what you do with the private host key
once you're read it in and you're damn sure it can't be revealed through
any nefarious means (eg. can I attach a debugger to the process once it
has dropped privileges and then extract the private host key?); and
provided that you can safely bind to the low-port socket so early on;
then yes that might be OK. However there are many things to consider in
any endeavour concerning setuid programming -- make sure you know all of
the consequences of all such actions before you go ahead and change
anything or invent anything new along these lines.
I personally worry more about programmers relaxing their scrutiny and
attention to detail at the same time they relax the privileges on their
code and as such I would personally be more comfortable if a setuid
process kept its privileges throughout its execution -- at least this
way everyone knows to be paranoid all of the time. This goes double for
setuid-root code, especially on systems which support the very dangerous
feature of allowing a setuid-root process to toggle from and then back
to superuser status.
> i'm not talking about modifying anything -- i'm talking about doing it
> right.
You *were* talking about existing clients, and this part of this thread
has been explicitly about the OpenSSH variant currently imported into
the NetBSD tree, and like I said any change along these lines in
existing code will need to be very carefully audited throughout the
entire codebase to ensure it doesn't upset any existing assumptions.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>