1
This question is about delaying the privilege separation in openSSH.
This is what I have learned from: Privilege Separated OpenSSH
Monitor process spawns unprivileged process for network processing (key exchange and authentication) and if user is authenticated, monitor spawns user privilege process after which pty will be allocated and user specific shell is spawned.
In my case, I need to spawn a shell (custom script) which first enters into a particular namespace and then call the script to spawn the shell. Since at this stage, user privilege process is spawning custom script, it is not able to enter into a particular namespace.
What I have seen from code that following lines of code in dropping the privilege (in privsep_postauth) to user.
-
668 -
669 /* Demote the private keys to public keys. */ -
670 demote_sensitive_data(); -
671 -
672 reseed_prngs(); -
673 -
674 /* Drop privileges */ -
675 do_setusercontext(authctxt->pw);
Can you guys guide me whether is it safe to do so and also how we can delay this privilege separation until shell is spawned. ?
Could you add your shell script or a dummy script that produce same issue? – Biswapriyo – 2019-02-22T17:29:26.667
Thanks @Biswapriyo for replying back. I removed "do_setusercontext" untill shell is spawned and set the usercontext after that and now able to enter into namespace. I just want to see what security impact it could be possible since now tty is also allocated with root privilege. – Praffulla Pandey – 2019-02-24T21:30:59.087