[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: client testsuite with sshd privilege separation
[Thread Prev] | [Thread Next]
- Subject: Re: client testsuite with sshd privilege separation
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Tue, 21 Nov 2017 15:10:47 +0100
- To: libssh@xxxxxxxxxx
On Mon, 2017-11-20 at 23:11 +0100, Andreas Schneider wrote: > On Monday, 20 November 2017 18:03:59 CET Jakub Jelen wrote: > > Hello all, > > I am trying to run the libssh client testsuite with latest OpenSSH, > > which does not support running without privilege separation. > > According > > to OpenSSH upstream, it should not be a problem to run it as an > > unprivileged user, but whatever I do, I am still getting the > > following > > error: > > > > Bind to port 22 on 127.0.0.10 failed: Permission denied. > > > > I ruled out SELinux already, I tried to add socket_wrapper debug > > environment variable, but still it does not generate any output. > > strace > > is not showing anything suspicious. I am out of ideas what else > > could > > prevent server starting. On what else is cwrap/socket_wrapper > > depending > > that could be stripped by the OpenSSH server? Note that this is > > happening basically before the privilege separation is being > > effective. > > I think it clears the env, so LD_PRELOAD is not set and > socket_wrapper not > loaded. Nope. OpenSSH does not touch environment. Once I was debugging the issue, I noticed, that the LD_PRELOAD is set up from Makefiles, but some other environment variables from the code and therefore when I was running the single test manually, it did not get used at all. The real problem here is the uid_wrapper: As it is set up now, it is faking the root UID, therefore SSHD is believing it has a permissions to do the chroot, but fails to do that, which is in this late stage a fatal error. Not sure what all the UID wrapper is needed here for, but my proposal would be to remove it or implement some kind of chroot wrapper to make sshd happy. I will have a look into the options, since I believe testing against current OpenSSH is something useful. Any ideas opinion on this? Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Re: client testsuite with sshd privilege separation | Jakub Jelen <jjelen@xxxxxxxxxx> |
client testsuite with sshd privilege separation | Jakub Jelen <jjelen@xxxxxxxxxx> |
Re: client testsuite with sshd privilege separation | Andreas Schneider <asn@xxxxxxxxxxxxxx> |