ssh-agent setgid vs. unpriviliged chroot on hurd (was: failed build tests for ssh-agent-filter on hurd-i386)

To: hurd-i386@buildd.debian.org
Cc: debian-ssh@lists.debian.org
Subject: ssh-agent setgid vs. unpriviliged chroot on hurd (was: failed build tests for ssh-agent-filter on hurd-i386)
From: Timo Weingärtner <tiwe@debian.org>
Date: Sat, 05 Jan 2019 16:09:41 +0100
Message-id: <[🔎] 1790292.0q3OvxSzVA@timo01.tiwe.de>
In-reply-to: <20190102205143.sgfaey2bpnctmjiv@function>
References: <32218238.aTYA4D4yCl@timo01.tiwe.de> <11208225.gj3Q8lumZx@timo01.tiwe.de> <20190102205143.sgfaey2bpnctmjiv@function>

Dear hurd buildd admins, dear ssh maintainers,

recap for ssh maintainers:
in my package ssh-agent-filter I'm using ssh-agent in the post-build tests.
There was a build failure on hurd[1] (ssh-agent not starting because libssl
too old) that was only fixed by updating libssl1.1 outside the chroot.

02.01.19 21:51 Samuel Thibault:
> Oh, I see that /usr/bin/ssh-agent is setgid ssh. That's why it escapes
> the chroot (chroot() is not a privileged operation on the Hurd, and thus
> setuid/setgid have to escape the chroot to avoid security issues)

IIRC ssh-agent being setgid is to keep other processes of the same user from
extracting secret keys via ptrace, which is not a problem in my tests.

Nevertheless I see that this is a general issue that might affect or maybe
already affects other packages.

Several possible solutions and non-solutions came to my mind:

1. Disable such failing tests on hurd?
* At least I won't give up that easily. => NO.

2. Update hurd buildds to unstable?
* That seems to have happened partially in this case, but should not
become the norm.

3. Copy such setid binaries into the test's temporary directory?
* That would remove the setid bits so the binaries wouldn't escape.
* This would probably work for my package but is more of a hack and
extra work for every affected package.

4. Globally remove setid bits from executables in hurd build chroots?
* Might do more harm than good.

5. Implement/use some "privileged chroot" mode?
* Maybe there could be a per-boot switch for disabling this security
feature while allowing path translators (is this the correct term?)
only for root.

6. Use a VM instead of chroot for building packages on hurd?
* I don't know right now if there's a preexisting solution for building
in VMs without chroot and how much userspace outside the chroot
packages use while building/testing.
* This will probably incur some overhead for starting a VM, so it would
only be used for packages requiring that.

What do you think?

Grüße
Timo

[1] https://buildd.debian.org/status/fetch.php?pkg=ssh-agent-filter&arch=hurd-i386&ver=0.5.2-1&stamp=1543022025&raw=0

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Bug#912087: reassign to systemd #912087 | openssh-server: Slow startup after the upgrade to 7.9p1
Next by Date: Bug#919047: ssh_config: allow tokens for IdentityFile keyword
Previous by thread: Bug#912087: reassign to systemd #912087 | openssh-server: Slow startup after the upgrade to 7.9p1
Next by thread: Bug#919047: ssh_config: allow tokens for IdentityFile keyword
Index(es):
- Date
- Thread