Re: [PLUG] sshd as regular user

brent timothy saner via plug on 16 Jun 2020 19:40:41 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] sshd as regular user

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] sshd as regular user
Date: Tue, 16 Jun 2020 22:40:23 -0400
Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=Xqw35MyWEgiJl0A47keKEdVjScLhQ4Z2x/ijCA8q3FY=; b=P2v5zNMyJS6TxVy4in5Ry4jOa3dWhHN6wIhcE8rj3nfXYjkQqr0yiDv1mo1i2Fp/f0 qb5eCKZgM0hrPNWKyhomyr+VWH9WXXObVE7QoRhcH/J6Oo428c/7m/ZMFnIsMz0rFM1u /IOfcFd8E29V10b8lf6hHbKf+a+0/CrThKLVaIKi4GiJrEMkkjv131BBU8OC7u+9Pmy+ N1qplLn1Ysdv/0SHzw+RE/xsGjv/r4iMELO9sQhjsl9fRfXv0SwGF39FxRIlsgQ0y+jE PWRqmM+6H3/+FkF0Ub6hK9AweXgcaExy55iXJ4FSfCP6+jWaiUxS2Nj+a4fK+bgooOdq 3JuQ==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0

On 6/16/20 19:56, Charlie Li via plug wrote:
>> Is there a way to go around this?
>>
> No.
> 
> From the setgroups(2) man page (from FreeBSD, probably similar on Linux):
>>      The setgroups() system call sets the group access list of the current
>>      user process according to the array gidset.  The ngroups argument
>>      indicates the number of entries in the array and must be no more than
>>      {NGROUPS_MAX}+1.
>>
>>      Only the super-user may set a new group list.
> 


At first I thought that perhaps this might be possible with kernel
capabilities, but no-

I downloaded a tarball of the latest stable release of portable OpenSSH,
8.3p1[0] and found that there's 7 hardcoded checks (just checked with
grep, didn't check the context of them) for EUID of 0:

uidswap.c:77:	if (geteuid() != 0) {
openbsd-compat/port-aix.c:252:	if (pw->pw_uid == 0 || geteuid() != 0) {
openbsd-compat/port-aix.c:319:	if (geteuid() != 0)
logintest.c:128:	if ((int)geteuid() != 0) {
loginrec.c:442:	if (geteuid() != 0) {
loginrec.c:1670:	if (geteuid() != 0)
audit-linux.c:64:	if ((rc == -EPERM) && (geteuid() != 0))


Which means unless it's running as root or via sudo, those conditionals
are going to evaluate to true (in this case, presumably, a true
condition means "no worky").

So nope. Can't run as a regular user.

Dropbear[1] might let you but it's... not pleasant if you expect OpenSSH
features to be present (and I think they still don't support ed25519 keys).




[0]
https://openbsd.mirror.constant.com/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
[1] https://matt.ucc.asn.au/dropbear/dropbear.html

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] sshd as regular user
  - From: PaulNM via plug <plug@lists.phillylinux.org>
- Re: [PLUG] sshd as regular user
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

References:
- [PLUG] sshd as regular user
  - From: Rita via plug <plug@lists.phillylinux.org>
- Re: [PLUG] sshd as regular user
  - From: Charlie Li via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] sshd as regular user
Next by Date: Re: [PLUG] sshd as regular user
Previous by thread: Re: [PLUG] sshd as regular user
Next by thread: Re: [PLUG] sshd as regular user
Index(es):
- Date
- Thread