From owner-freebsd-arch  Sat Sep  2 15:26: 2 2000
Delivered-To: freebsd-arch@freebsd.org
Received: from netplex.com.au (adsl-63-207-30-186.dsl.snfc21.pacbell.net [63.207.30.186])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1188137B424; Sat,  2 Sep 2000 15:25:57 -0700 (PDT)
Received: from netplex.com.au (peter@localhost [127.0.0.1])
	by netplex.com.au (8.11.0/8.9.3) with ESMTP id e82MMSG33103;
	Sat, 2 Sep 2000 15:22:28 -0700 (PDT)
	(envelope-from peter@netplex.com.au)
Message-Id: <200009022222.e82MMSG33103@netplex.com.au>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Brian Somers <brian@Awfulhak.org>
Cc: "Jacques A. Vidrine" <n@nectar.com>,
	Neil Blakey-Milner <nbm@mithrandr.moria.org>,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Dan Nelson <dnelson@emsphone.com>, sthaug@nethelp.no,
	ume@FreeBSD.ORG, arch@FreeBSD.ORG, freebsd-arch@FreeBSD.ORG
Subject: Re: setuid ssh should die 
In-Reply-To: <200009022121.e82LLV771512@hak.lan.Awfulhak.org> 
Date: Sat, 02 Sep 2000 15:22:28 -0700
From: Peter Wemm <peter@netplex.com.au>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Brian Somers wrote:
> > On Sat, Sep 02, 2000 at 10:32:44PM +0200, Neil Blakey-Milner wrote:
> > > On Sat 2000-09-02 (22:24), Poul-Henning Kamp wrote:
> > > > Uhm, how about a ssh_config variable where you tell it to drop
> > > > the setuid bit right away, wouldn't that work ?
> > > 
> > > I'd prefer to leave it off.  It means one less file to assure myself is
> > > safe, if I were thinking with my paranoid security hat on.
> > 
> > In addition to Neil's points, setuid executables ignore LD_LIBRARY_PATH
> > and such, breaking SOCKS.  ssh is the type of application one would
> > expect to use with SOCKS, so I'd prefer not having the gratuitous setuid
> > bit set.
> 
> What do people reckon then (-arch cc'd) ?  I'll add
> 
> #ENABLE_SUIDSSH=	true
> 
> to etc/defaults/make.conf then mention it in ssh_config and make the 
> adjustment to the ssh build so that it defaults to *not* being suid.

Actually.. here's a thought..  we presently install ssh and hard link it
to slogin.  Perhaps we could install it twice instead (its 148K or so)
and leave setuid *off* ssh and *on* for slogin.

And make a make.conf hook about whether or not to install slogin.

Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message