https://bugzilla.mindrot.org/show_bug.cgi?id=2625
Richard E. Silverman <r...@qoxp.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |r...@qoxp.net
--- Comment #7 from Richard E. Silverman <r...@qoxp.net> ---
Hello,
This should be addressed, but I disagree with the proposed solution
here. The real problem is not that ssh checks its euid -- it is that
ssh tries to guess whether the kernel will allow it to bind a low port,
but cannot in principle know what is required for that; that's the
kernel's job, and will change depending on the security facilities in
use on a particular system. It's like refusing to try to open a file if
the mode bits don't seem to allow you to: maybe an ACL would allow it.
Or deciding that you must be able to open the file, but then finding
that you can't because SELinux is enabled, and the policy blocks it.
Programs should not second-guess the kernel: ssh should just try to
bind the port, and report the result.
Pleasantly, this also gets rid of all the issues discussed here around
the usage of libcap etc.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
