Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
On Sat, Oct 11, 2014 at 08:14:58AM +0000, Mike Gabriel wrote:
> On Fr 10 Okt 2014 01:36:17 CEST, Colin Watson wrote:
> >I'm a bit wary given upstream's fairly strenuous objections. In cases
> >where I feel I know something better than upstream I do sometimes decide
> >to carry a patch anyway of course, but in this case I'm far from a
> >relevant expert. Do you think that perhaps somebody could re-engage
> >with that upstream bug and see if they can work through the objections?
>
> I guess the discussion is about security models. Whereas X11 has a
> security model and thus can justify using kernel namespace sockets
> (the argument a file socket with 0777 is equivalent to a kernel
> namespace socket fully applies IMHO...). I think it is not on the
> OpenSSH side to judge the concept of kernel namespace sockets to be
> good or bad.
>
> The point is, X11 uses them, has a security model behind the X11
> socket files (or kernel namespace sockets) and the X11 developers
> announced the possibility to drop the file sockets complete.
>
> For X2Go (a while back), I implemented kernel namespace socket
> support for nxagent [1] and nxproxy [2]. The nxproxy patch [2] I
> immitated from the OpenSSH abstract socket support in Fedora and it
> works very well with nxproxy.
>
> Furthermore, this kernel namespace patch for OpenSSH only affects
> X11 forwarding. So, OpenSSH should really adapt to what the X11 come
> up with.
Thanks, but I'm not asking you to persuade me, I'm asking for somebody
to persuade upstream. That's probably going to involve communication on
the upstream bug and/or on openssh-unix-dev.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: