ssh-baseline icon indicating copy to clipboard operation
ssh-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

SSHD privsep directory checks

Open mgrobelin opened this issue 7 years ago • 0 comments

Hi,

I've recently built openssh and learned the following: sshd privilege separation feature requires specific "privsep" directory (sshd chroot) ownership & permissions to be applied.

  • path to privsep dir differs between common distributions: /var/empty/sshd(RHEL) or /var/run/sshd (Debian) or xxx if ./configure --with-privsep-path=xxx
  • owned by root or yyy if ./configure --with-privsep-user=yyy
  • additional permissions: not readable/writable by group and "others"

I am not sure on the following bonus assumptions:

  • sshd system user must (?) exist with home directory == privsep directory and a "nologin" shell, so in sum it must not be able to read/write from/to the privsep directory*
  • no files should (?) exist within privsep dir: https://github.com/openssh/openssh-portable/blob/master/README.privsep

So if sshd UsePrivilegeSeparation is enabled - which is true on common Linux distributions - the privdir requirements above should be verified aswell.

Do you think such checks make sense as an addition to https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb#L186 ? Or linux-baseline? Or not at all?

Best Regards, Markus

mgrobelin avatar Feb 19 '18 17:02 mgrobelin