[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: client testsuite with sshd privilege separation


On Mon, 2017-11-20 at 23:11 +0100, Andreas Schneider wrote:
> On Monday, 20 November 2017 18:03:59 CET Jakub Jelen wrote:
> > Hello all,
> > I am trying to run the libssh client testsuite with latest OpenSSH,
> > which does not support running without privilege separation.
> > According
> > to OpenSSH upstream, it should not be a problem to run it as an
> > unprivileged user, but whatever I do, I am still getting the
> > following
> > error:
> > 
> >   Bind to port 22 on 127.0.0.10 failed: Permission denied.
> > 
> > I ruled out SELinux already, I tried to add socket_wrapper debug
> > environment variable, but still it does not generate any output.
> > strace
> > is not showing anything suspicious. I am out of ideas what else
> > could
> > prevent server starting. On what else is cwrap/socket_wrapper
> > depending
> > that could be stripped by the OpenSSH server? Note that this is
> > happening basically before the privilege separation is being
> > effective.
> 
> I think it clears the env, so LD_PRELOAD is not set and
> socket_wrapper not 
> loaded.

Nope. OpenSSH does not touch environment. Once I was debugging the
issue, I noticed, that the LD_PRELOAD is set up from Makefiles, but
some other environment variables from the code and therefore when I was
running the single test manually, it did not get used at all.

The real problem here is the uid_wrapper: As it is set up now, it is
faking the root UID, therefore SSHD is believing it has a permissions
to do the chroot, but fails to do that, which is in this late stage a
fatal error.

Not sure what all the UID wrapper is needed here for, but my proposal
would be to remove it or implement some kind of chroot wrapper to make
sshd happy.

I will have a look into the options, since I believe testing against
current OpenSSH is something useful. Any ideas opinion on this?


Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

Follow-Ups:
Re: client testsuite with sshd privilege separationJakub Jelen <jjelen@xxxxxxxxxx>
References:
client testsuite with sshd privilege separationJakub Jelen <jjelen@xxxxxxxxxx>
Re: client testsuite with sshd privilege separationAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org