[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh sshd user vs. group ???



On Wed, Jul 03, 2002 at 08:53:20AM -0500, Michael D. Schleif wrote:
> Colin Watson wrote:
> > "Its primary group" doesn't have to be called sshd. There's no
> > particular reason to create a separate group.
> 
> Other than the source documentation; and, of course, lack of
> distribution documentation on this point . . .

Let's face it, the Debian releases of OpenSSH >= 3.3 have had to be done
in something of a hurry. Documentation is a fine point compared to
security.

> > The Debian package is configured slightly differently from that
> > /var/empty recommendation in order to follow policy better. It uses
> > /var/run/sshd instead. Other than that there's no difference from the
> > documentation.
> 
> In fact, why not make /var/run/sshd home directory for sshd user?

Current ssh releases create it that way. If you upgraded to one of the
intermediate (and even more rushed) security releases then you'll have
it as /home/sshd instead.

> I also know that the source provides an sshd.8 manpage that includes,
> among else, this:
> 
>   /var/empty
> 	chroot(2) directory used by sshd during privilege separation in
> 	the pre-authentication phase.  The directory should not contain
> 	any files and must be owned by root and not group or world-
> 	writable.

That should be patched.

> What I do find, except for this very thread, is:
> 
> [a] debian *NOT* following the source documentation;

Debian frequently doesn't in terms of paths. We have our own standards
in order to keep the system consistent.

> [b] *NO* /var/empty nor /home/sshd directories;

That is correct. /var/empty would be an FHS violation; /home/sshd as the
home directory of the sshd user was just a transient mistake.

> [c] *NO* debian documentation publishing these deviations from source
> instructions;

File a bug.

> [d] debian documentation deviates from source documentation, including
> manpages; and

Um, were you not complaining a moment ago that the Debian documentation
should be fixed? It is a *good* thing that man pages are kept up to date
with the distribution's configuration.

> [e] *NO* debian documentation demonstrating that these changes achieve
> same goals as source distribution.

Well, I'll say now that changing sshd's chroot path is not a risk. In
fact, it's superior, since it removes the risk that multiple daemons
might decide that /var/empty is a good place to chroot into, which would
breach security boundaries.

> Notice, I am *NOT* attempting to be critical here!  Yes, now that you
> mention it, I do find this in sshd.8:
> 
>   /var/run/sshd
> 	chroot(2) directory used by sshd during privilege separation in
> 	the pre-authentication phase.  The directory should not contain
> 	any files and must be owned by root and not group or world-
> 	writable.

Oh, so it has been patched then. Good.

> Now, I do understand.  Nevertheless, I think that debian could make such
> things clearer at the outset, rather than prompting me to doubt and
> question -- or, perhaps, I am just daft ;>

I think all you need to do is file a bug asking for README.Debian to be
updated to document the current privsep configuration. If you look at
that file in the current ssh package you'll see that a number of similar
things are already documented, so it's not like this kind of thing is
kept quiet on purpose.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: