[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Chris Lesiak]

The openssh privilege separation feature, enabled by default,
requires that the path /var/empty exist and have certain permission.
See README.privsep included as part of the openssh distribution.

Use OPENSSH_PERMISSIONS to ensure this is done correctly.

Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
---
 package/openssh/openssh.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 07f3e0d663..9175f9589d 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -22,6 +22,10 @@ define OPENSSH_USERS
 	sshd -1 sshd -1 * - - - SSH drop priv user
 endef
 
+define OPENSSH_PERMISSIONS
+	/var/empty d 755 root root - - - - -
+endef
+
 ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
 OPENSSH_CONF_OPTS += --without-pie
 endif
-- 
2.17.2

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Arnout Vandecappelle]

On 17/12/2018 23:25, Chris Lesiak wrote:
> The openssh privilege separation feature, enabled by default,
> requires that the path /var/empty exist and have certain permission.
> See README.privsep included as part of the openssh distribution.

 It's not clear to me from reading this file if /var/empty should actually be
writable or not. If it does have to be writable, then this won't work in the
readonly rootfs case.

 Also, README.privsep says that the sshd user should have /var/empty as its home
directory, so perhaps we should set that as well?

 Regards,
 Arnout

> 
> Use OPENSSH_PERMISSIONS to ensure this is done correctly.
> 
> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
> ---
>  package/openssh/openssh.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 07f3e0d663..9175f9589d 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>  	sshd -1 sshd -1 * - - - SSH drop priv user
>  endef
>  
> +define OPENSSH_PERMISSIONS
> +	/var/empty d 755 root root - - - - -
> +endef
> +
>  ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>  OPENSSH_CONF_OPTS += --without-pie
>  endif
> 

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Chris Lesiak]

On 12/17/18 5:07 PM, Arnout Vandecappelle wrote:

>
> On 17/12/2018 23:25, Chris Lesiak wrote:
>> The openssh privilege separation feature, enabled by default,
>> requires that the path /var/empty exist and have certain permission.
>> See README.privsep included as part of the openssh distribution.
>   It's not clear to me from reading this file if /var/empty should actually be
> writable or not. If it does have to be writable, then this won't work in the
> readonly rootfs case.


It should not be writable, even by? sshd.? The name "empty" is a clue 
that it is and forever shall remain empty.


>
>   Also, README.privsep says that the sshd user should have /var/empty as its home
> directory, so perhaps we should set that as well?


I can certainly submit a new version that adds the following change:

 ?define OPENSSH_USERS
-?????? sshd -1 sshd -1 * - - - SSH drop priv user
+?????? sshd -1 sshd -1 * /var/empty /bin/false - SSH drop priv user
 ?endef


Is everyone happy with using /var/empty as the home directory? It isn't 
obvious that /var/empty should belong to sshd.? In fact it doesn't and 
could be shared with other services wanting to use if for the same 
purpose.? /var/empty is traditional, but can be changed using 
--with-privsep-path=xxx.? Using /var/run/sshd might be more "modern" but 
I don't know if any other distributions are using it.? Oddly, Fedora 
uses /var/empty/sshd -- /var/empty isn't empty at all.


Sincerely,

Chris


>
>   Regards,
>   Arnout
>
>> Use OPENSSH_PERMISSIONS to ensure this is done correctly.
>>
>> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
>> ---
>>   package/openssh/openssh.mk | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 07f3e0d663..9175f9589d 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>>   	sshd -1 sshd -1 * - - - SSH drop priv user
>>   endef
>>   
>> +define OPENSSH_PERMISSIONS
>> +	/var/empty d 755 root root - - - - -
>> +endef
>> +
>>   ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>>   OPENSSH_CONF_OPTS += --without-pie
>>   endif
>>
-- 
Chris Lesiak
Principal Design Engineer, Software
LI-COR Biosciences
4647 Superior Street
Lincoln, NE 68504 USA
chris.lesiak at licor.com

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Arnout Vandecappelle]

On 17/12/2018 23:25, Chris Lesiak wrote:
> The openssh privilege separation feature, enabled by default,
> requires that the path /var/empty exist and have certain permission.
> See README.privsep included as part of the openssh distribution.
> 
> Use OPENSSH_PERMISSIONS to ensure this is done correctly.

 I've added some of the discussion to the commit message and applied to master,
thanks.


 Regards,
 Arnout

> 
> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
> ---
>  package/openssh/openssh.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 07f3e0d663..9175f9589d 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>  	sshd -1 sshd -1 * - - - SSH drop priv user
>  endef
>  
> +define OPENSSH_PERMISSIONS
> +	/var/empty d 755 root root - - - - -
> +endef
> +
>  ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>  OPENSSH_CONF_OPTS += --without-pie
>  endif
> 

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Arnout Vandecappelle]

On 18/12/2018 00:37, Chris Lesiak wrote:
> I can certainly submit a new version that adds the following change:
> 
>  ?define OPENSSH_USERS
> -?????? sshd -1 sshd -1 * - - - SSH drop priv user
> +?????? sshd -1 sshd -1 * /var/empty /bin/false - SSH drop priv user
>  ?endef
> 
> 
> Is everyone happy with using /var/empty as the home directory? It isn't 
> obvious that /var/empty should belong to sshd.

 It doesn't belong to sshd. There are plenty of system users that have home
directories like / or /sbin.

 Note that there is no need to set the shell. - does not exist, so logging in as
that user doesn't work, which is what we want. I even think login treats it special.

 But changing the home directory of sshd would probably be good.

 Regards,
 Arnout

[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

 > On 17/12/2018 23:25, Chris Lesiak wrote:
 >> The openssh privilege separation feature, enabled by default,
 >> requires that the path /var/empty exist and have certain permission.
 >> See README.privsep included as part of the openssh distribution.
 >> 
 >> Use OPENSSH_PERMISSIONS to ensure this is done correctly.

 >  I've added some of the discussion to the commit message and applied to master,
 > thanks.

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard