From owner-freebsd-security  Thu Aug  3  3: 0:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from goliath.siemens.de (goliath.siemens.de [194.138.37.131])
	by hub.freebsd.org (Postfix) with ESMTP id 7F3E237B898
	for <freebsd-security@freebsd.org>; Thu,  3 Aug 2000 03:00:27 -0700 (PDT)
	(envelope-from andre.albsmeier@mchp.siemens.de)
X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer goliath.siemens.de)
Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11])
	by goliath.siemens.de (8.10.1/8.10.1) with ESMTP id e73A0Ec12842;
	Thu, 3 Aug 2000 12:00:22 +0200 (MET DST)
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7])
	by mail2.siemens.de (8.10.1/8.10.1) with ESMTP id e73A0Dl23832;
	Thu, 3 Aug 2000 12:00:13 +0200 (MET DST)
Received: (from localhost)
	by curry.mchp.siemens.de (8.10.2/8.10.2) id e73A0Da47685;
Date: Thu, 3 Aug 2000 12:00:13 +0200
From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To: Karsten Patzwaldt <karsten@berlin.sfai.edu>
Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>,
	freebsd-security@freebsd.org
Subject: Re: What will I lose if ssh is no more suid root?
Message-ID: <20000803120013.A174@curry.mchp.siemens.de>
References: <20000803074228.A1682@curry.mchp.siemens.de> <20000803025740.A7484@berlin.sfai.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20000803025740.A7484@berlin.sfai.edu>; from karsten@berlin.sfai.edu on Thu, Aug 03, 2000 at 02:57:40AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 03-Aug-2000 at 02:57:40 -0400, Karsten Patzwaldt wrote:
> On Thu, Aug 03, 2000 at 07:42:28AM +0200, Andre Albsmeier wrote:
> > As the subject says: What functionality will I lose when ssh
> > in 4.1-STABLE is not setuid root anymore?
> > 
> > The reason for asking is that I want to socksify ssh on the
> > fly with runsocks. I removed the setuid root mode and it seems
> > to work.
> > 
> > Since I assume that no program is suid root without reason,
> > can someone please enlighten me what I will lose now?
> 
> SSH uses ports <1024 when it opens a connection, which is only allowed
> for root. I don't have a reasonable explanation for this, although it
> could give some protection from clients that were not installed by the
> admin. But this ports <1024-protection doesn't work anyways (who has no
> UNIX computer at home? Does this protection work on Windows? Er...), so
> IMHO it should be save to remove SUID.

When using rhosts authentication, ssh must use a reserved port. Apart
from that, no other reason for setuid'ing root is known by me until know.

	-Andre


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message