[Buildroot] [PATCH] package/openssh: Set /var/empty permissions

Chris Lesiak chris.lesiak at licor.com
Mon Dec 17 23:37:31 UTC 2018


On 12/17/18 5:07 PM, Arnout Vandecappelle wrote:

>
> On 17/12/2018 23:25, Chris Lesiak wrote:
>> The openssh privilege separation feature, enabled by default,
>> requires that the path /var/empty exist and have certain permission.
>> See README.privsep included as part of the openssh distribution.
>   It's not clear to me from reading this file if /var/empty should actually be
> writable or not. If it does have to be writable, then this won't work in the
> readonly rootfs case.


It should not be writable, even by  sshd.  The name "empty" is a clue 
that it is and forever shall remain empty.


>
>   Also, README.privsep says that the sshd user should have /var/empty as its home
> directory, so perhaps we should set that as well?


I can certainly submit a new version that adds the following change:

  define OPENSSH_USERS
-       sshd -1 sshd -1 * - - - SSH drop priv user
+       sshd -1 sshd -1 * /var/empty /bin/false - SSH drop priv user
  endef


Is everyone happy with using /var/empty as the home directory? It isn't 
obvious that /var/empty should belong to sshd.  In fact it doesn't and 
could be shared with other services wanting to use if for the same 
purpose.  /var/empty is traditional, but can be changed using 
--with-privsep-path=xxx.  Using /var/run/sshd might be more "modern" but 
I don't know if any other distributions are using it.  Oddly, Fedora 
uses /var/empty/sshd -- /var/empty isn't empty at all.


Sincerely,

Chris


>
>   Regards,
>   Arnout
>
>> Use OPENSSH_PERMISSIONS to ensure this is done correctly.
>>
>> Signed-off-by: Chris Lesiak <chris.lesiak at licor.com>
>> ---
>>   package/openssh/openssh.mk | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 07f3e0d663..9175f9589d 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -22,6 +22,10 @@ define OPENSSH_USERS
>>   	sshd -1 sshd -1 * - - - SSH drop priv user
>>   endef
>>   
>> +define OPENSSH_PERMISSIONS
>> +	/var/empty d 755 root root - - - - -
>> +endef
>> +
>>   ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>>   OPENSSH_CONF_OPTS += --without-pie
>>   endif
>>
-- 
Chris Lesiak
Principal Design Engineer, Software
LI-COR Biosciences
4647 Superior Street
Lincoln, NE 68504 USA
chris.lesiak at licor.com



More information about the buildroot mailing list