Date: Thu, 3 Aug 2000 12:00:13 +0200 From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> To: Karsten Patzwaldt <karsten@berlin.sfai.edu> Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803120013.A174@curry.mchp.siemens.de> In-Reply-To: <20000803025740.A7484@berlin.sfai.edu>; from karsten@berlin.sfai.edu on Thu, Aug 03, 2000 at 02:57:40AM -0400 References: <20000803074228.A1682@curry.mchp.siemens.de> <20000803025740.A7484@berlin.sfai.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 03-Aug-2000 at 02:57:40 -0400, Karsten Patzwaldt wrote: > On Thu, Aug 03, 2000 at 07:42:28AM +0200, Andre Albsmeier wrote: > > As the subject says: What functionality will I lose when ssh > > in 4.1-STABLE is not setuid root anymore? > > > > The reason for asking is that I want to socksify ssh on the > > fly with runsocks. I removed the setuid root mode and it seems > > to work. > > > > Since I assume that no program is suid root without reason, > > can someone please enlighten me what I will lose now? > > SSH uses ports <1024 when it opens a connection, which is only allowed > for root. I don't have a reasonable explanation for this, although it > could give some protection from clients that were not installed by the > admin. But this ports <1024-protection doesn't work anyways (who has no > UNIX computer at home? Does this protection work on Windows? Er...), so > IMHO it should be save to remove SUID. When using rhosts authentication, ssh must use a reserved port. Apart from that, no other reason for setuid'ing root is known by me until know. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000803120013.A174>