Re: openssh sshd user vs. group ???
On Wed, Jul 03, 2002 at 10:41:34AM -0500, Michael D. Schleif wrote:
> Colin Watson wrote:
> > That is correct. /var/empty would be an FHS violation; /home/sshd as the
> > home directory of the sshd user was just a transient mistake.
>
> Interesting -- how so?
Which, /var/empty or /home/sshd?
"Violation" is perhaps a bit strong, but the FHS says:
Applications should generally not add directories to the top level of
/var. Such directories should only be added if they have some system-
wide implication, and in consultation with the FHS mailing list.
/home/sshd is a bad idea because nothing should be stored in the sshd
user's home directory. It's there purely to trap people who break in.
> > Well, I'll say now that changing sshd's chroot path is not a risk. In
> > fact, it's superior, since it removes the risk that multiple daemons
> > might decide that /var/empty is a good place to chroot into, which would
> > breach security boundaries.
>
> OK, but, how is /var/run/sshd any different than /var/empty, in this
> regard?
/var/empty looks like it might be common, while /var/run/sshd is clearly
specific to one daemon.
A friend of mine tried to submit a patch to the ssh people to create the
directory on the fly and remove it after the chroot so that every
instance of sshd got a different directory, but they didn't seem to be
interested.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: