Re: Who to run sshd as



On Fri, 2006-10-27 at 23:44 -0400, James Stickland wrote:
Hello, im running openssh 4.4p1 for Linux

I setuid the sshd binary to execute as a normal user "joe"
but that user does not have permission to bind the socket.



How can i have my sshd run as non-root, yet still bind the socket?

Only root can bind to ports < 1024. So if ssh is going to become
non-root, it must start as root and then drop its privileges after it
binds to the port. Further, it needs the ability to setuid() to the
user who logs in.

If you're wanting to understand or control the user OpenSSH runs as,
look at its privilege separation capabilities. Not sure if they're
available in non-OpenBSD OpenSSH, but they should be the tool for what
you're wanting.

- Michael



Relevant Pages

  • BIND 9.5.3b1 is now available.
    ... BIND 9.5.3b1 is now available. ... when a zone was not found. ... triggering an assertion failure in ... API and glibc hides parts of the IPv6 Advanced Socket ...
    (comp.protocols.dns.bind)
  • BIND 9.4-ESV-R1 is now available.
    ... BIND 9.4-ESV-R1 is now available. ... API and glibc hides parts of the IPv6 Advanced Socket ... WARNING: API CHANGE: over memory callback ... If allow-recursion is not set in named.conf then ...
    (comp.protocols.dns.bind)
  • BIND 9.4-ESV-R2 is now available.
    ... BIND 9.4-ESV-R2 is now available. ... API and glibc hides parts of the IPv6 Advanced Socket ... WARNING: API CHANGE: over memory callback ... If allow-recursion is not set in named.conf then ...
    (comp.protocols.dns.bind)
  • BIND 9.4-ESV-R3 is now available.
    ... BIND 9.4-ESV-R3 is now available. ... from insecure zones. ... API and glibc hides parts of the IPv6 Advanced Socket ... WARNING: API CHANGE: over memory callback ...
    (comp.protocols.dns.bind)
  • BIND 9.4-ESV is now available
    ... BIND 9.4-ESV is a extended release version for BIND 9.4. ... API and glibc hides parts of the IPv6 Advanced Socket ... WARNING: API CHANGE: over memory callback ... If allow-recursion is not set in named.conf then ...
    (comp.protocols.dns.bind)