[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771625: openssh-server: Please add ProtectSystem=yes to service file

Russ Allbery <rra@debian.org> writes:

> Micah Anderson <micah@debian.org> writes:
>
>> If you add the option ProtectSystem=yes to the service file, then the
>> daemon will not have the ability to write to /usr.
>
> How does this interact with the OpenSSH daemon, which spawns user shells?
> I was (blindly) assuming that these security settings would be inherited
> by all child processes of the spawned process, so you'd end up with shells
> that also had read-only /usr, possibly interfering with later sudo, su, or
> other similar operations.

That is a good point. Unless I did something wrong, I just set this in my system's ssh service
file, like this:

[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
ProtectSystem=yes

[Install]
WantedBy=multi-user.target
Alias=sshd.service

Then I did

# systemctl daemon-reload
# systemctl reload ssh

then I did:

$ ssh root@localhost
# touch /usr/foo
#

it seemed to work fine
Reply to: