From owner-freebsd-security Thu Aug 3 2:57:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from berlin.sfai.edu (berlin.sfai.edu [63.197.251.100]) by hub.freebsd.org (Postfix) with ESMTP id 0F38F37B72C for ; Thu, 3 Aug 2000 02:57:46 -0700 (PDT) (envelope-from karsten@berlin.sfai.edu) Received: (from karsten@localhost) by berlin.sfai.edu (8.10.0.Beta12/8.10.0Beta12) id e736ve607549; Thu, 3 Aug 2000 02:57:40 -0400 Date: Thu, 3 Aug 2000 02:57:40 -0400 From: Karsten Patzwaldt To: Andre Albsmeier , freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803025740.A7484@berlin.sfai.edu> References: <20000803074228.A1682@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.2i In-Reply-To: <20000803074228.A1682@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Thu, Aug 03, 2000 at 07:42:28AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 03, 2000 at 07:42:28AM +0200, Andre Albsmeier wrote: > As the subject says: What functionality will I lose when ssh > in 4.1-STABLE is not setuid root anymore? > > The reason for asking is that I want to socksify ssh on the > fly with runsocks. I removed the setuid root mode and it seems > to work. > > Since I assume that no program is suid root without reason, > can someone please enlighten me what I will lose now? SSH uses ports <1024 when it opens a connection, which is only allowed for root. I don't have a reasonable explanation for this, although it could give some protection from clients that were not installed by the admin. But this ports <1024-protection doesn't work anyways (who has no UNIX computer at home? Does this protection work on Windows? Er...), so IMHO it should be save to remove SUID. Regards, -- Karsten To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message