[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
@ 2018-12-17 22:25 Chris Lesiak
  2018-12-17 23:07 ` Arnout Vandecappelle
  2019-02-03 20:53 ` Arnout Vandecappelle
  0 siblings, 2 replies; 6+ messages in thread
From: Chris Lesiak @ 2018-12-17 22:25 UTC (permalink / raw)
  To: buildroot

The openssh privilege separation feature, enabled by default,
requires that the path /var/empty exist and have certain permission.
See README.privsep included as part of the openssh distribution.

Use OPENSSH_PERMISSIONS to ensure this is done correctly.

Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
---
 package/openssh/openssh.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 07f3e0d663..9175f9589d 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -22,6 +22,10 @@ define OPENSSH_USERS
 	sshd -1 sshd -1 * - - - SSH drop priv user
 endef
 
+define OPENSSH_PERMISSIONS
+	/var/empty d 755 root root - - - - -
+endef
+
 ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
 OPENSSH_CONF_OPTS += --without-pie
 endif
-- 
2.17.2

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
  2018-12-17 22:25 [Buildroot] [PATCH] package/openssh: Set /var/empty permissions Chris Lesiak
@ 2018-12-17 23:07 ` Arnout Vandecappelle
  2018-12-17 23:37   ` Chris Lesiak
  2019-02-03 20:53 ` Arnout Vandecappelle
  1 sibling, 1 reply; 6+ messages in thread
From: Arnout Vandecappelle @ 2018-12-17 23:07 UTC (permalink / raw)
  To: buildroot



On 17/12/2018 23:25, Chris Lesiak wrote:
> The openssh privilege separation feature, enabled by default,
> requires that the path /var/empty exist and have certain permission.
> See README.privsep included as part of the openssh distribution.

 It's not clear to me from reading this file if /var/empty should actually be
writable or not. If it does have to be writable, then this won't work in the
readonly rootfs case.

 Also, README.privsep says that the sshd user should have /var/empty as its home
directory, so perhaps we should set that as well?

 Regards,
 Arnout

> 
> Use OPENSSH_PERMISSIONS to ensure this is done correctly.
> 
> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
> ---
>  package/openssh/openssh.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 07f3e0d663..9175f9589d 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>  	sshd -1 sshd -1 * - - - SSH drop priv user
>  endef
>  
> +define OPENSSH_PERMISSIONS
> +	/var/empty d 755 root root - - - - -
> +endef
> +
>  ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>  OPENSSH_CONF_OPTS += --without-pie
>  endif
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
  2018-12-17 23:07 ` Arnout Vandecappelle
@ 2018-12-17 23:37   ` Chris Lesiak
  2019-02-03 21:01     ` Arnout Vandecappelle
  0 siblings, 1 reply; 6+ messages in thread
From: Chris Lesiak @ 2018-12-17 23:37 UTC (permalink / raw)
  To: buildroot

On 12/17/18 5:07 PM, Arnout Vandecappelle wrote:

>
> On 17/12/2018 23:25, Chris Lesiak wrote:
>> The openssh privilege separation feature, enabled by default,
>> requires that the path /var/empty exist and have certain permission.
>> See README.privsep included as part of the openssh distribution.
>   It's not clear to me from reading this file if /var/empty should actually be
> writable or not. If it does have to be writable, then this won't work in the
> readonly rootfs case.


It should not be writable, even by? sshd.? The name "empty" is a clue 
that it is and forever shall remain empty.


>
>   Also, README.privsep says that the sshd user should have /var/empty as its home
> directory, so perhaps we should set that as well?


I can certainly submit a new version that adds the following change:

 ?define OPENSSH_USERS
-?????? sshd -1 sshd -1 * - - - SSH drop priv user
+?????? sshd -1 sshd -1 * /var/empty /bin/false - SSH drop priv user
 ?endef


Is everyone happy with using /var/empty as the home directory? It isn't 
obvious that /var/empty should belong to sshd.? In fact it doesn't and 
could be shared with other services wanting to use if for the same 
purpose.? /var/empty is traditional, but can be changed using 
--with-privsep-path=xxx.? Using /var/run/sshd might be more "modern" but 
I don't know if any other distributions are using it.? Oddly, Fedora 
uses /var/empty/sshd -- /var/empty isn't empty at all.


Sincerely,

Chris


>
>   Regards,
>   Arnout
>
>> Use OPENSSH_PERMISSIONS to ensure this is done correctly.
>>
>> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
>> ---
>>   package/openssh/openssh.mk | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 07f3e0d663..9175f9589d 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>>   	sshd -1 sshd -1 * - - - SSH drop priv user
>>   endef
>>   
>> +define OPENSSH_PERMISSIONS
>> +	/var/empty d 755 root root - - - - -
>> +endef
>> +
>>   ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>>   OPENSSH_CONF_OPTS += --without-pie
>>   endif
>>
-- 
Chris Lesiak
Principal Design Engineer, Software
LI-COR Biosciences
4647 Superior Street
Lincoln, NE 68504 USA
chris.lesiak at licor.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
  2018-12-17 23:37   ` Chris Lesiak
@ 2019-02-03 21:01     ` Arnout Vandecappelle
  0 siblings, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle @ 2019-02-03 21:01 UTC (permalink / raw)
  To: buildroot

On 18/12/2018 00:37, Chris Lesiak wrote:
> I can certainly submit a new version that adds the following change:
> 
>  ?define OPENSSH_USERS
> -?????? sshd -1 sshd -1 * - - - SSH drop priv user
> +?????? sshd -1 sshd -1 * /var/empty /bin/false - SSH drop priv user
>  ?endef
> 
> 
> Is everyone happy with using /var/empty as the home directory? It isn't 
> obvious that /var/empty should belong to sshd.

 It doesn't belong to sshd. There are plenty of system users that have home
directories like / or /sbin.

 Note that there is no need to set the shell. - does not exist, so logging in as
that user doesn't work, which is what we want. I even think login treats it special.

 But changing the home directory of sshd would probably be good.

 Regards,
 Arnout

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
  2018-12-17 22:25 [Buildroot] [PATCH] package/openssh: Set /var/empty permissions Chris Lesiak
  2018-12-17 23:07 ` Arnout Vandecappelle
@ 2019-02-03 20:53 ` Arnout Vandecappelle
  2019-02-18 15:52   ` Peter Korsgaard
  1 sibling, 1 reply; 6+ messages in thread
From: Arnout Vandecappelle @ 2019-02-03 20:53 UTC (permalink / raw)
  To: buildroot



On 17/12/2018 23:25, Chris Lesiak wrote:
> The openssh privilege separation feature, enabled by default,
> requires that the path /var/empty exist and have certain permission.
> See README.privsep included as part of the openssh distribution.
> 
> Use OPENSSH_PERMISSIONS to ensure this is done correctly.

 I've added some of the discussion to the commit message and applied to master,
thanks.


 Regards,
 Arnout

> 
> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
> ---
>  package/openssh/openssh.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 07f3e0d663..9175f9589d 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>  	sshd -1 sshd -1 * - - - SSH drop priv user
>  endef
>  
> +define OPENSSH_PERMISSIONS
> +	/var/empty d 755 root root - - - - -
> +endef
> +
>  ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>  OPENSSH_CONF_OPTS += --without-pie
>  endif
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] package/openssh: Set /var/empty permissions
  2019-02-03 20:53 ` Arnout Vandecappelle
@ 2019-02-18 15:52   ` Peter Korsgaard
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2019-02-18 15:52 UTC (permalink / raw)
  To: buildroot

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

 > On 17/12/2018 23:25, Chris Lesiak wrote:
 >> The openssh privilege separation feature, enabled by default,
 >> requires that the path /var/empty exist and have certain permission.
 >> See README.privsep included as part of the openssh distribution.
 >> 
 >> Use OPENSSH_PERMISSIONS to ensure this is done correctly.

 >  I've added some of the discussion to the commit message and applied to master,
 > thanks.

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-02-18 15:52 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-17 22:25 [Buildroot] [PATCH] package/openssh: Set /var/empty permissions Chris Lesiak
2018-12-17 23:07 ` Arnout Vandecappelle
2018-12-17 23:37   ` Chris Lesiak
2019-02-03 21:01     ` Arnout Vandecappelle
2019-02-03 20:53 ` Arnout Vandecappelle
2019-02-18 15:52   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.