Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Micah Anderson <micah@debian.org> writes:
> If you add the option ProtectSystem=yes to the service file, then the
> daemon will not have the ability to write to /usr.
How does this interact with the OpenSSH daemon, which spawns user shells?
I was (blindly) assuming that these security settings would be inherited
by all child processes of the spawned process, so you'd end up with shells
that also had read-only /usr, possibly interfering with later sudo, su, or
other similar operations.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: