OpenSsh 3.4 and privelege separation question

From: Christopher L. Barnard (cbar44@tsg.cbot.com)
Date: Thu Jun 27 2002 - 10:23:45 EDT

• Next message: Shane Pitman: "SUMMARY Vendors"
• Previous message: Erik Williams: "Inetd Startup Scirpt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am sending this to the sunmanagers mailing list in case anyone on the
sunmanagers list has come across this yet. I am also sending this to
the OpenSsh users list, but as I am not subscribed to it and have no
newsfeed, I would greatly appreciate responses from
secureshell@securityfocus.com to be sent directly to me. Thanks.

As a result of yesterday's CERT announcement, I have downloaded,
compiled, and installed OpenSsh version 3.4p1 on my Ultra 10 (running
Solaris 8) testbed. However, to get it running I had to add two things
which make a lot of sense, but I have not seen any documentation on what
permissions are needed.

Initally, the new sshd did not start up because I hadn't created the
sshd Privelege Separation user. So I did. However, I have not been
able to find any indication of how that account is to be configured. I
created it with * for a password and /bin/false for a shell, but is
there anything else that needs to be done?

Next, the new sshd did not start up because I had not created the
/var/empty chroot jail directory. So I did. However, I was again
unable to find any documentation on the ownership, permissions, etc on
this directory. I just created it owned by root, mode 0755. OpenSsh
3.4p1 now appears to work.

So my question is: what permissions are needed for the sshd account,
and what ownership, permissions, etc are needed for the /var/empty
directory?

TIA, and of course I will summarize.

+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Shane Pitman: "SUMMARY Vendors"
• Previous message: Erik Williams: "Inetd Startup Scirpt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:31 EDT