Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In order to secure services like sshd you could to follow a couple steps...
1. Change port that sshd binds to above 1024
2. Create a sshd user
3. Run sshd as that user
My question is, how do you run sshd as a non-root user if services cannot be started by anyone except root. You would have to give permissions to that user. How can you do that? In the sudoers file? I tried that but I still wasn't able to start or stop services in /etc/init.d.
And what about booting up? The services would initially be started as root, so you could create a script that would stop the service and then start it again as a non-root user? Or just include commands in your rc.local file, if you lazy like me .
The trick is trying to figure out how to start sshd as a non-root user. Still trying to figure that out.
Ok, tried that, but first needed to chown user sshd_config, ssh_host_dsa_key, ssh_host_key, and ssh_host_rsa_key
After doing that I tried again, but got a
setgroups() failed: Operation not permitted error.
According to the man pages, setgroups() can only be called by the super-user.
Setgroups() set the supplementary group IDs for the process. I'm not sure what that means, but I'm sure it's needed. Must be another way to get around this.
This can only be called by the superuser, either sshd cannot be run by anyone except root or there is another way around this but I can't figure it out. Ah shucks....
The question you have to ask youself is do I " robeb"
know more about secruity and ssh than Theo & gang
at openssh? If your honest answer is NO then follow the
build instrustions that come with source?
Do I know more? Absolutely not! It was more of an experiment if anything else, never really a security issue. Just for fun, eh? I'm still new to linux but I like playing around with stuff. Maybe I should have posted that premise earlier. Sorry. Thanks for you help, though.
suid means is a bit in the permissions that that the program runs at the permissions of the owner. an example of this would be the passwd. if it didn't run at the permissions of root, it couldn't access the password hash file (/etc/shadow). so you set the hash file so that only root can view it, then set passwd to suid root so that it runs at roots priveleges.
to change a program suid, first, change the owner to the correct owner.
chown owner file
then change the permissions to suid
chown 4XXX
The four in front is for the suid bit, the XXX stand for normal persmissions. you can use somehting like 777, or 111, or anything you want.
I really don't think you need to worry about running ssh as anything other then root. if you download the new version, you can run the privelege seperation and it will only use the priveleges for authentication (which i am pretty sure it NEEDS to run at all).
And something to keep in mind is this. binding to a port < 1024 requires root. They are privileged ports.... However, you can chroot sshd and have it start as root and fork to a user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.