Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Russ Allbery <rra@debian.org> writes:
> Micah Anderson <micah@debian.org> writes:
>
>> If you add the option ProtectSystem=yes to the service file, then the
>> daemon will not have the ability to write to /usr.
>
> How does this interact with the OpenSSH daemon, which spawns user shells?
> I was (blindly) assuming that these security settings would be inherited
> by all child processes of the spawned process, so you'd end up with shells
> that also had read-only /usr, possibly interfering with later sudo, su, or
> other similar operations.
That is a good point. Unless I did something wrong, I just set this in my system's ssh service
file, like this:
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
ProtectSystem=yes
[Install]
WantedBy=multi-user.target
Alias=sshd.service
Then I did
# systemctl daemon-reload
# systemctl reload ssh
then I did:
$ ssh root@localhost
# touch /usr/foo
#
it seemed to work fine
Reply to: