On Thursday 17 September 2009 19:55:33 Ruben de Groot wrote:
> On Thu, Sep 17, 2009 at 07:14:29PM +0200, Mel Flynn typed:
> > On Wednesday 16 September 2009 21:18:03 Tom Worster wrote:
> > > On 9/16/09 2:37 PM, "Mel Flynn"
> > >
> > > <mel.flynn+fbsd.questi...@mailing.thruhere.net> wrote:
> > > > On Wednesday 16 September 2009 20:21:40 Chris Cowart wrote:
> > > >> Tom Worster wrote:
> > > >>> thanks, Mel, that's good to know.
> > > >>>
> > > >>> i think your suggestion of modifying rc.conf will turn out to be a
> > > >>> tidy solution for me.
> > > >>
> > > >> You could also just put:
> > > >>
> > > >> sshd_flags="-o X11Forwarding=no"
> > > >>
> > > >> into your /etc/rc.conf file.
> > > >
> > > > What he wants is passing arguments without touching config files,
> > > > which I find myself needing sometimes as well, on machines where
> > > > static partitions are mounted read-only + kern.secure_level.
> > >
> > > that's right.
> > >
> > > when i read in 11.7 of the handbook: "Since the rc.d system is
> > > primarily intended to start/stop services at system startup/shutdown
> > > time, ..." i thought: maybe i'm making things hard by trying to use
> > > rc.d scripts when i could just execute the daemon's binary.
> >
> > One downside I forgot to mention:
> > You do open yourself up now to SSHD_FLAGS="-o AllowRoot=yes", so you may
> > need to complicate the logic a bit more, by sanitizing SSHD_FLAGS.
> 
> Please explain how this can be exploited by a non-root user?

By adding this to .profile of compromised wheel account and waiting for him to 
run sudo -E or using an older version of sudo.
Yes, it's an unlikely path.

More to the point, it defeats having ro mounted /etc + secure level, since no 
reboot is required to modify the running sshd, so you're compromising your 
failsafe.
-- 
Mel
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to