Re: Grsecurity and ssh
Arnaud Fontaine wrote:
> Now i would like to use the GNU/Linux kernel with grsecurity patch. I
> have compiled and installed this kernel but when i want to log into the
> system via ssh (the service start also), i have the following error due
> to grsecurity:
> "grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0)
> EUID(0), parent (sshd:20587) UID(0) EUID(0)"
The privilege separation code invokes chroot(), too.
Is there a "do not create any new file descriptors" process attribute in
grsecurity? If there is, OpenSSH should toggle instead of calling
chroot() to an empty directory, which is a poor replacement.