This is a discussion on Re: Requirement for sshd account since 4.4p1 - openssh ; Hi Darren, On Nov 7 18:51, Darren Tucker wrote: > On Fri, Oct 27, 2006 at 02:29:00PM +0200, Corinna Vinschen wrote: > > On Oct 27 21:00, Darren Tucker wrote: > > > Maybe we could only load privsep_pw if ...
On Nov 7 18:51, Darren Tucker wrote:
> On Fri, Oct 27, 2006 at 02:29:00PM +0200, Corinna Vinschen wrote:
> > On Oct 27 21:00, Darren Tucker wrote:
> > > Maybe we could only load privsep_pw if we're running privileged?
> > > set*uid is not going to work if we're not.
> > Here's the problem: Right now there's no way to figure out whether sshd
> > is running under a privileged account or not on Cygwin. The problem is
> > that being privileged is bound to testing uid 0 in OpenSSH throughout.
> > I'm asking for some years now to replace the inflexible tests for uid 0
> > by a system specific function call along the lines of a
> > bool privileged_user(uid)
> I think we have discussed that in the past and I think it's a reasonable
> idea (although I'd probably model it after POSIX capabilities to include
> things like binding to low ports since POSIX is our nominal target)
> but never had the time to pursue.
This sounds good to me (and yes, I remember some discussion in PM).
It would allow to create wrapper functions for platforms which don't
support POSIX capabilities natively while getting rid of #ifdef's in
the core code.
> We ended up going with the patch below.
> > > Always having the privsep uid available is useful in other cases too
> > > (eg PAM, bug #1215).
> > I see, but not all systems use PAM either
> That's true, but I suspect the majority do (the survey data backs me up;
> 54% have PAM headers and --with-pam is the second most common compile-time
> option (14%) after tcpwrappers (29%) not counting path setting ones :-).
Oh well, looks like not many Cygwin users participate in the ssh mailing
Cygwin Project Co-Leader
openssh-unix-dev mailing list