[rsbac] sshd problems

Amon Ott ao at rsbac.org
Wed Apr 4 10:16:16 CEST 2007

On Wednesday 04 April 2007 10:04, Sven Seeland wrote:
> So you are saying I should grant the initial sshd process the right
> to setuid to root and to authenticate users? Isn't that a huge risk
> in case sshd is hacked, as it has been before? I'm thinking whether
> it might be safer to work with a fake root and a min cap that
> allows setuid btu that doesn't help that much because the attacker
> would then still have the right to setuid to root.

You only allow setting the euid and fsuid to root, not the real uid. 
So this root process runs with the SSHD Initial role and has only the 
rights you want it to. Additionally, you can remove all unnecessary 
capabilities with a CAP max_caps setting.

Also, during network conversation the process runs as user 22. You can 
further reduce its rights, if you assing yet another role as def_role 
to that user.

If you know that you will never need administrative rights over ssh, 
you can also run sshd in a jail. Then whatever RC roles the users 
have, they will always be inside this jail with limited rights, if 
they came through ssh.

> And to answer your questions: yes, the sshd user 22 has role 0 and
> I'm trying to login as secoff. I already have debug_adf_rc enabled,
> that's how I know that the process that is trying to authenticate
> has the role 0.

Oh yes, right.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list