LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-05-2002, 09:48 PM   #1
robeb
Member
 
Registered: May 2002
Posts: 113

Rep: Reputation: 15
Running services as non-root users


In order to secure services like sshd you could to follow a couple steps...

1. Change port that sshd binds to above 1024
2. Create a sshd user
3. Run sshd as that user

My question is, how do you run sshd as a non-root user if services cannot be started by anyone except root. You would have to give permissions to that user. How can you do that? In the sudoers file? I tried that but I still wasn't able to start or stop services in /etc/init.d.

And what about booting up? The services would initially be started as root, so you could create a script that would stop the service and then start it again as a non-root user? Or just include commands in your rc.local file, if you lazy like me .

The trick is trying to figure out how to start sshd as a non-root user. Still trying to figure that out.
 
Old 07-05-2002, 10:39 PM   #2
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
Would su usename -c "/usr/bin/sshd" work?

For some sevices you can use a chroot jail?
There is a Howto on http://tldp.org

There is also a couple of jail scripts on:
http://freshmeat.net
 
Old 07-05-2002, 11:29 PM   #3
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
Ok, tried that, but first needed to chown user sshd_config, ssh_host_dsa_key, ssh_host_key, and ssh_host_rsa_key

After doing that I tried again, but got a
setgroups() failed: Operation not permitted error.

According to the man pages, setgroups() can only be called by the super-user.

Setgroups() set the supplementary group IDs for the process. I'm not sure what that means, but I'm sure it's needed. Must be another way to get around this.
 
Old 07-06-2002, 12:07 AM   #4
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
You have both a ssh user and ssh group?
 
Old 07-06-2002, 12:17 AM   #5
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
yes
 
Old 07-06-2002, 01:43 AM   #6
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
first, i really don't think that you can actually run ssh as non root.

but to get it to start as non-root, just chown the file to the ssh user. then suid it to that user, it will run with the ssh users privs.
 
Old 07-06-2002, 12:34 PM   #7
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
suid? I'm not sure if you mean "su" or something else.
 
Old 07-06-2002, 12:43 PM   #8
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
man chmod
man chown
 
Old 07-06-2002, 12:54 PM   #9
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
All files in the /etc/ssh

chmod 600
chown user:user

Still get "setgroups() operation not permitted"

This can only be called by the superuser, either sshd cannot be run by anyone except root or there is another way around this but I can't figure it out. Ah shucks....
 
Old 07-06-2002, 01:00 PM   #10
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
The question you have to ask youself is do I " robeb"
know more about secruity and ssh than Theo & gang
at openssh? If your honest answer is NO then follow the
build instrustions that come with source?

And or post to the OpenSSH mailing list.
 
Old 07-06-2002, 01:53 PM   #11
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
Do I know more? Absolutely not! It was more of an experiment if anything else, never really a security issue. Just for fun, eh? I'm still new to linux but I like playing around with stuff. Maybe I should have posted that premise earlier. Sorry. Thanks for you help, though.
 
Old 07-06-2002, 01:58 PM   #12
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
No reason to be sorry, just don't limit your self a single point
of contact. This site might be of interest to you:

http://www.linuxsecurity.com/
 
Old 07-06-2002, 07:27 PM   #13
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
suid means is a bit in the permissions that that the program runs at the permissions of the owner. an example of this would be the passwd. if it didn't run at the permissions of root, it couldn't access the password hash file (/etc/shadow). so you set the hash file so that only root can view it, then set passwd to suid root so that it runs at roots priveleges.

to change a program suid, first, change the owner to the correct owner.
chown owner file

then change the permissions to suid

chown 4XXX
The four in front is for the suid bit, the XXX stand for normal persmissions. you can use somehting like 777, or 111, or anything you want.


I really don't think you need to worry about running ssh as anything other then root. if you download the new version, you can run the privelege seperation and it will only use the priveleges for authentication (which i am pretty sure it NEEDS to run at all).
 
Old 07-18-2002, 10:58 AM   #14
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
And something to keep in mind is this. binding to a port < 1024 requires root. They are privileged ports.... However, you can chroot sshd and have it start as root and fork to a user.
 
Old 07-18-2002, 03:19 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
OT

Kinda OT, but can someone give me a working example where it would be necessary *and* practical to have a chrooted sshd running?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to give rightst on services to the users varala_kanth Linux - Software 1 05-14-2004 09:02 AM
running Xapps as root in a users X keex Linux - General 4 01-26-2004 12:53 AM
Removing unnecessary services and users/groups Jiggy Linux - Security 4 11-18-2003 01:11 PM
what services should i have running? jamesgf Linux - General 3 04-18-2003 02:24 PM
Running services as Root robeb Linux - Security 1 07-01-2002 01:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration