[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: Support Capabilities for ssh client port forwarding
From: Damien Miller <djm () mindrot ! org>
Date: 2016-10-16 23:40:44
Message-ID: alpine.BSO.2.20.1610171040120.50 () natsu ! mindrot ! org
[Download RAW message or body]
Hi,
Could you please file a bug at https://bugzilla.mindrot.org and attach
this? That will make sure it doesn't get lost.
-d
On Mon, 10 Oct 2016, Alexey wrote:
> Hello.
>
> I think openssh-client should allow use port forwarding not only for root
> user.
> CAP_NET_BIND_SERVICE enought to use privileged ports.
>
> I do patch for myself, but I think, that you could improve it and apply to
> master.
>
> --- openssh-7.3p1.orig/readconf.c
> +++ openssh-7.3p1/readconf.c
> @@ -15,6 +15,7 @@
> #include "includes.h"
>
> #include <sys/types.h>
> +#include <sys/capability.h>
> #include <sys/stat.h>
> #include <sys/socket.h>
> #include <sys/wait.h>
> @@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
> extern uid_t original_real_uid;
> int i;
>
> + cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
> + cap_t caps;
> +
> + caps = cap_get_proc();
> + cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE,
> &cap_flag_value_e);
> + cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED,
> &cap_flag_value_p);
> +
> if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
> + (cap_flag_value_e != CAP_SET || cap_flag_value_p !=
> CAP_SET) &&
> newfwd->listen_path == NULL)
> fatal("Privileged ports can only be forwarded by root.");
> /* Don't add duplicates */
> --- openssh-7.3p1.orig/configure.ac
> +++ openssh-7.3p1/configure.ac
> @@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
> use_pie=auto
> check_for_libcrypt_later=1
> check_for_openpty_ctty_bug=1
> + # libcap
> + # use capabilities
> + LIBS="$LIBS -lcap"
> AC_DEFINE([PAM_TTY_KLUDGE], [1],
> [Work around problematic Linux PAM modules handling of
> PAM_TTY])
> AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
>
>
> And specify one more build dependencie: libcap-dev.
>
> Regards,
> Alexey Mochkin.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic