tech-security: Re: setuid ssh

Subject: Re: setuid ssh
To: NetBSD Security Technical Discussion List <tech-security@netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 10/20/2000 16:31:46
  by mail.netbsd.org with SMTP; 20 Oct 2000 20:31:47 -0000
	by noc.untraceable.net (8.11.1/8.11.1/bonk!) id e9KKVkp05844
	for tech-security@netbsd.org; Fri, 20 Oct 2000 16:31:46 -0400 (EDT)
Date: Fri, 20 Oct 2000 16:31:46 -0400
From: Andrew Brown <atatat@atatdot.net>
To: NetBSD Security Technical Discussion List <tech-security@netbsd.org>
Subject: Re: setuid ssh
Message-ID: <20001020163146.A5721@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <20001018135225.A7705@antioche.lip6.fr> <Pine.NEB.4.21.0010181440492.6544-100000@agnostic.union.cynic.net> <20001020182702.E976D4@proven.weird.com> <20001020143456.A4739@noc.untraceable.net> <20001020191842.BE4324@proven.weird.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001020191842.BE4324@proven.weird.com>; from woods@weird.com on Fri, Oct 20, 2000 at 03:18:42PM -0400
Return-Receipt-To: receipts@daemon.org

>> well...what does it *need* to be suid for?  is there anything besides
>> the privileged port and the host key that it requires root privs for?
>> or is that it?
>
>That's it, I think, at least for ssh/slogin....

then what's wrong with doing *all* things things (yes, both of them)
right at the beginning of main, before *anything else*

	if (geteuid() != getuid() || getegid() != getgid()) {
		do_root_stuff_now();
		setuid(getuid());
		setgid(getgid());
	}

no?  then you *have* the port if you need it, and you *have* the host
key if you need it.  of course, they'd both get thrown away as soon as
it was known that they weren't needed.

>I don't know about OpenSSH, but if you were to make such changes to
>SSH-1.2.27 or newer you'd have to audit the code with a fine toothed
>comb again to make sure everything was done right since the current
>implementation makes some assumptions about what it means to be
>privileged (i.e. it assumes euid==0 is priviledged).

i'm not talking about modifying anything -- i'm talking about doing it
right.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."