In order to secure services like sshd you could to follow a couple steps...

1. Change port that sshd binds to above 1024
2. Create a sshd user
3. Run sshd as that user

My question is, how do you run sshd as a non-root user if services cannot be started by anyone except root. You would have to give permissions to that user. How can you do that? In the sudoers file? I tried that but I still wasn't able to start or stop services in /etc/init.d.

And what about booting up? The services would initially be started as root, so you could create a script that would stop the service and then start it again as a non-root user? Or just include commands in your rc.local file, if you lazy like me .

The trick is trying to figure out how to start sshd as a non-root user. Still trying to figure that out.

Would su usename -c "/usr/bin/sshd" work?

For some sevices you can use a chroot jail?
There is a Howto on http://tldp.org

There is also a couple of jail scripts on:
http://freshmeat.net

Ok, tried that, but first needed to chown user sshd_config, ssh_host_dsa_key, ssh_host_key, and ssh_host_rsa_key

After doing that I tried again, but got a
setgroups() failed: Operation not permitted error.

According to the man pages, setgroups() can only be called by the super-user.

Setgroups() set the supplementary group IDs for the process. I'm not sure what that means, but I'm sure it's needed. Must be another way to get around this.

You have both a ssh user and ssh group?

yes

first, i really don't think that you can actually run ssh as non root.

but to get it to start as non-root, just chown the file to the ssh user. then suid it to that user, it will run with the ssh users privs.

suid? I'm not sure if you mean "su" or something else.

man chmod
man chown

All files in the /etc/ssh

chmod 600
chown user:user

Still get "setgroups() operation not permitted"

This can only be called by the superuser, either sshd cannot be run by anyone except root or there is another way around this but I can't figure it out. Ah shucks....

The question you have to ask youself is do I " robeb"
know more about secruity and ssh than Theo & gang
at openssh? If your honest answer is NO then follow the
build instrustions that come with source?

And or post to the OpenSSH mailing list.

Do I know more? Absolutely not! It was more of an experiment if anything else, never really a security issue. Just for fun, eh? I'm still new to linux but I like playing around with stuff. Maybe I should have posted that premise earlier. Sorry. Thanks for you help, though.

No reason to be sorry, just don't limit your self a single point
of contact. This site might be of interest to you:

http://www.linuxsecurity.com/

suid means is a bit in the permissions that that the program runs at the permissions of the owner. an example of this would be the passwd. if it didn't run at the permissions of root, it couldn't access the password hash file (/etc/shadow). so you set the hash file so that only root can view it, then set passwd to suid root so that it runs at roots priveleges.

to change a program suid, first, change the owner to the correct owner.
chown owner file

then change the permissions to suid

chown 4XXX
The four in front is for the suid bit, the XXX stand for normal persmissions. you can use somehting like 777, or 111, or anything you want.


I really don't think you need to worry about running ssh as anything other then root. if you download the new version, you can run the privelege seperation and it will only use the priveleges for authentication (which i am pretty sure it NEEDS to run at all).

And something to keep in mind is this. binding to a port < 1024 requires root. They are privileged ports.... However, you can chroot sshd and have it start as root and fork to a user.

Kinda OT, but can someone give me a working example where it would be necessary *and* practical to have a chrooted sshd running?