Hi Colin, On Fr 10 Okt 2014 01:36:17 CEST, Colin Watson wrote:
Control: found -1 1:6.7p1-1 Control: forwarded -1 https://bugzilla.mindrot.org/show_bug.cgi?id=1789 On Thu, Oct 09, 2014 at 04:56:48PM +0200, Mike Gabriel wrote:I just checked debian/changelog and the 6.7 release announcement. The following issue hasn't been addressed yet in Debian, nor by upstream. If on the SSH client side a session is running with pam_namespace.so in use, it is impossible to do X11 port forwarding. The ssh client tries to connect to /tmp/.X11-unix/X<displayport> which is out of reach with pam_namespace sessions. Instead, ssh client should connect the X11 forwarding end point to the X11 socket in kernel namespace (@/tmp/.X11-unix/X<displayport>). A patch is available in the Fedora OpenSSH package [1].[...][1] http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-5.5p1-x11.patchIt appears (after a bit of trawling through git history plus some guesswork; I wish Fedora had better conventions for patch headers the way that Debian does ...) that this is https://bugzilla.redhat.com/show_bug.cgi?id=598671, and the upstream bug is https://bugzilla.mindrot.org/show_bug.cgi?id=1789. By the way the patch in Fedora's git repository does not match the latest one attached to the upstream bug. I'm a bit wary given upstream's fairly strenuous objections. In cases where I feel I know something better than upstream I do sometimes decide to carry a patch anyway of course, but in this case I'm far from a relevant expert. Do you think that perhaps somebody could re-engage with that upstream bug and see if they can work through the objections?
I guess the discussion is about security models. Whereas X11 has a security model and thus can justify using kernel namespace sockets (the argument a file socket with 0777 is equivalent to a kernel namespace socket fully applies IMHO...). I think it is not on the OpenSSH side to judge the concept of kernel namespace sockets to be good or bad.
The point is, X11 uses them, has a security model behind the X11 socket files (or kernel namespace sockets) and the X11 developers announced the possibility to drop the file sockets complete.
For X2Go (a while back), I implemented kernel namespace socket support for nxagent [1] and nxproxy [2]. The nxproxy patch [2] I immitated from the OpenSSH abstract socket support in Fedora and it works very well with nxproxy.
Furthermore, this kernel namespace patch for OpenSSH only affects X11 forwarding. So, OpenSSH should really adapt to what the X11 come up with.
My 2¢ on this... Mike[1] http://code.x2go.org/gitweb?p=nx-libs.git;a=blob;f=debian/patches/028_nx-X11_abstract-kernel-sockets.full.patch [2] http://code.x2go.org/gitweb?p=nx-libs.git;a=blob;f=debian/patches/027_nxcomp_abstract-X11-socket.full%2Blite.patch
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpqvaWSjMWXJ.pgp
Description: Digitale PGP-Signatur