Re: Grsecurity and ssh

To: Arnaud Fontaine <dsdebian@free.fr>
Cc: debian-security@lists.debian.org
Subject: Re: Grsecurity and ssh
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 5 Dec 2003 21:45:01 +0100
Message-id: <[🔎] 20031205204501.GA5579@deneb.enyo.de>
In-reply-to: <[🔎] 20031205204855.3c1a240d.dsdebian@free.fr>
References: <[🔎] 20031205204855.3c1a240d.dsdebian@free.fr>

Arnaud Fontaine wrote:

> Now i would like to use the GNU/Linux kernel with grsecurity patch. I
> have compiled and installed this kernel but when i want to log into the
> system via ssh (the service start also), i have the following error due
> to grsecurity:
> "grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0)
> EUID(0), parent (sshd:20587) UID(0) EUID(0)"

The privilege separation code invokes chroot(), too.

Is there a "do not create any new file descriptors" process attribute in
grsecurity?  If there is, OpenSSH should toggle instead of calling
chroot() to an empty directory, which is a poor replacement.

Reply to:

Follow-Ups:
- Re: Grsecurity, ssh and postfix
  - From: Arnaud Fontaine <dsdebian@free.fr>

References:
- Grsecurity and ssh
  - From: Arnaud Fontaine <dsdebian@free.fr>

Prev by Date: Re: extrange passwd behaviour
Next by Date: rsync attempts?
Previous by thread: Grsecurity and ssh
Next by thread: Re: Grsecurity, ssh and postfix
Index(es):
- Date
- Thread