delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2017/03/22/04:40:20

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:cc:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; q=dns; s=
default; b=HrAhg8zE4nUMSY4G2LpNg6+hNnRa+sdVQkJVTffdMpAWszANOAoba
mxqXpy/ASLUANIbU0M70xbWUUZ6GaBpaqavKYP5/626YmQ1Cu83wRRm+0C3skjNs
v6LEb2uVELFzx+MZy5N5EmOuffInHcQd9e32SAPX4+E6fIc4tcZAhU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:cc:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; s=default;
bh=FpskMHT56aKu+6IyeOyOF9d/lkA=; b=hzyT1YcUbKI/pmkOIzhuOOyOWwZp
rqewsoJrl+hXmRr0DPfjilMfGG3x3scfjckMd3nJGmxyCuBGeJtGNC6diipxHYgE
m9qh46H914aUMVJyxpR2sSZ7a3vEWLOWgaxpN8SlqCnmAxUS4psDhJ/Gx+N3WT6W
LtvSq8MQk96I2xg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-124.2 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Best
X-HELO: drew.franken.de
Date: Wed, 22 Mar 2017 09:39:47 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Cc: Lionel Fourquaux <lionel DOT fourquaux AT normalesup DOT org>
Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-7.5p1-1
Message-ID: <20170322083947.GA1785@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com, Lionel Fourquaux <lionel DOT fourquaux AT normalesup DOT org>
References: <20170322013427 DOT GA6640 AT emris DOT lionel DOT fourquaux DOT org>
MIME-Version: 1.0
In-Reply-To: <20170322013427.GA6640@emris.lionel.fourquaux.org>
User-Agent: Mutt/1.8.0 (2017-02-23) 

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Lionel,

On Mar 22 02:34, Lionel Fourquaux wrote:
> > * This release deprecates the sshd_config UsePrivilegeSeparation
> >   option, thereby making privilege separation mandatory.
>=20
> This has (probably not wholly intended) consequences when running sshd in
> single user (non root) mode:
>=20
> $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config
> Privilege separation user sshd does not exist
>=20
> The problem is not limited to Cygwin, but is unlikely to happen in a typi=
cal
> Unix, since ssh is probably installed globally.
>=20
> If Cygwin was installed without administrative privileges, creating a
> dedicated sshd user would be impossible (and makes little sense if sshd r=
uns
> in single user mode, anyway).  I guess it would be possible to add a fake
> user account in /etc/passwd.
>=20
> Since user sshd and chroot /var/empty are not used in single user mode, it
> might be better to remove the check in this case:
>=20
> =3D=3D=3D cut after =3D=3D=3D
> diff --git a/sshd.c b/sshd.c
> index 010a2c3..4f9b2c8 100644
> --- a/sshd.c
> +++ b/sshd.c
> @@ -1641,7 +1641,8 @@ main(int ac, char **av)
>=20
> 	/* Store privilege separation user for later use if required. */
> 	if ((privsep_pw =3D getpwnam(SSH_PRIVSEP_USER)) =3D=3D NULL) {
> -		if (use_privsep || options.kerberos_authentication)
> +		if ((use_privsep || options.kerberos_authentication)
> +		    && (getuid() =3D=3D 0 || geteuid() =3D=3D 0))
> 			fatal("Privilege separation user %s does not exist",
> 			    SSH_PRIVSEP_USER);
> 	} else {
> @@ -1767,7 +1768,7 @@ main(int ac, char **av)
> 		    key_type(key));
> 	}
>=20
> -	if (use_privsep) {
> +	if (use_privsep && (getuid() =3D=3D 0 || geteuid() =3D=3D 0)) {
> 		struct stat st;
>=20
> 		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) =3D=3D -1) ||
> =3D=3D=3D cut before =3D=3D=3D
>=20
> Best regards,
>=20
> 		-- Lionel

Thanks for the report.  However, since this is an upstream issue, and
Cygwin not being the only affected system, I think it would be better to
discuss this in the upstream developer mailing list

  openssh-unix-dev AT mindrot DOT org

Shall I forward your message or would you like to report it yourself?


Thanks,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJY0jhTAAoJEPU2Bp2uRE+gQScP/jy+zR+cSBLgEXYL5zLudiuC
CcIe4aZI8dXwIBDhmDfrHAI4GEgAvjazhc16O3jYyCdrB5gJBDeAQ8v59l6Wg1fS
cU8Cr6Y87unOxKQthFwwqkNJ+zPyb4AcYITIeZpM3H3+ulL3lnxeZOeqQvGv/amX
y/UFwdS81GXc2gx4VNF8a1eSCtL9tqpVhUesd4FyL2LV/JcMRpZiYL8nxQltFfJN
Q70tps5yWDFTS/BR3L0E2kmhE1WNR0o3l9qLgLbkHC0bzGAy+PfTXd0fyIhMuLaT
bcKWVQzbwUwV/WQTS9mAv2GuLFA/N/xNFQQ4/d8Bnkx53wcbwi62tl0SiySH/aTZ
AimRSW2IkI6sn2pwc3NpFP2hnkKvU2R4xy3TbiNFO//nsSKbBaI/IBbGf5BHVkuB
31NuuR9IGh2FUF0LNklqBQpyqDvmgA4mM7PemtHIV6l88dvLnbBZ0ZgG+j5Hx4HL
uYSnbdph5xXw7QTBtG27R8r+vrM4jUHrcoDLwytMS8tkTl7godew4u3bmAPLGt16
y/la6d+FXq7b057GK5UmDQ5Qb8DmuvsRaUDBOmqOSrkqNdexAPRiigpHZwS54Nma
08TL4x+hkZpWqNJQFc9aP4cqJY0cQYl4I0F0VS3neSPUp25HLxDdX0f51zFj4sa5
cj0Lka/XV9ypjdh6Yb8l
=e8QS
-----END PGP SIGNATURE-----

--SUOF0GtieIMvvwua--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019