From owner-freebsd-arch  Sat Sep  2 15:10:58 2000
Delivered-To: freebsd-arch@freebsd.org
Received: from netplex.com.au (adsl-63-207-30-186.dsl.snfc21.pacbell.net [63.207.30.186])
	by hub.freebsd.org (Postfix) with ESMTP
	id B34CB37B423; Sat,  2 Sep 2000 15:10:31 -0700 (PDT)
Received: from netplex.com.au (peter@localhost [127.0.0.1])
	by netplex.com.au (8.11.0/8.9.3) with ESMTP id e82M78G32995;
	Sat, 2 Sep 2000 15:07:08 -0700 (PDT)
	(envelope-from peter@netplex.com.au)
Message-Id: <200009022207.e82M78G32995@netplex.com.au>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Brian Somers <brian@Awfulhak.org>,
	"Jacques A. Vidrine" <n@nectar.com>,
	Dan Nelson <dnelson@emsphone.com>, sthaug@nethelp.no,
	ume@FreeBSD.ORG, arch@FreeBSD.ORG
Subject: Re: setuid ssh should die (Re: Request for review: nsswitch) 
In-Reply-To: <41784.967926245@critter> 
Date: Sat, 02 Sep 2000 15:07:08 -0700
From: Peter Wemm <peter@netplex.com.au>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Poul-Henning Kamp wrote:
> In message <200009022015.e82KFN740808@hak.lan.Awfulhak.org>, Brian Somers wri
    te
> s:
> >> On Sat, Sep 02, 2000 at 02:58:22PM -0500, Dan Nelson wrote:
> >> > Rather, it's so it can read the host key, which is only readable by
> >> > root.
> >> 
> >> We're talking about ssh, not sshd.
> >> 
> >> IMHO, ssh should be mode 0555.  I have to change this all the time on
> >> my machines, since I often socksify ssh.
> >
> >Yes, a make.conf variable would be in order, defaulting to 0555 in 
> >line with FallBackToRsh being set to no in /etc/ssh/ssh_config. 
> 
> Uhm, how about a ssh_config variable where you tell it to drop
> the setuid bit right away, wouldn't that work ?

It's too late by then.  issetugid() is sticky and stays on forever.

Perhaps we can add a clearsetugid() syscall that apps can call when they
are prepared to guarantee that things like libc getpwent() don't have a
cached copy of the priviliged master.passwd in memory that a coredump might
otherwise expose or ptrace() could extract.

On the other hand, I don't think applications *can* make this guarantee -
they have no way to be *certain* that libc hasn't cached something
sensitive.

Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message