brent timothy saner via plug on 16 Jun 2020 19:40:41 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] sshd as regular user

On 6/16/20 19:56, Charlie Li via plug wrote:
>> Is there a way to go around this?
> No.
> From the setgroups(2) man page (from FreeBSD, probably similar on Linux):
>>      The setgroups() system call sets the group access list of the current
>>      user process according to the array gidset.  The ngroups argument
>>      indicates the number of entries in the array and must be no more than
>>      {NGROUPS_MAX}+1.
>>      Only the super-user may set a new group list.

At first I thought that perhaps this might be possible with kernel
capabilities, but no-

I downloaded a tarball of the latest stable release of portable OpenSSH,
8.3p1[0] and found that there's 7 hardcoded checks (just checked with
grep, didn't check the context of them) for EUID of 0:

uidswap.c:77:	if (geteuid() != 0) {
openbsd-compat/port-aix.c:252:	if (pw->pw_uid == 0 || geteuid() != 0) {
openbsd-compat/port-aix.c:319:	if (geteuid() != 0)
logintest.c:128:	if ((int)geteuid() != 0) {
loginrec.c:442:	if (geteuid() != 0) {
loginrec.c:1670:	if (geteuid() != 0)
audit-linux.c:64:	if ((rc == -EPERM) && (geteuid() != 0))

Which means unless it's running as root or via sudo, those conditionals
are going to evaluate to true (in this case, presumably, a true
condition means "no worky").

So nope. Can't run as a regular user.

Dropbear[1] might let you but it's... not pleasant if you expect OpenSSH
features to be present (and I think they still don't support ed25519 keys).


Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --