hi folks, we are in the process of conceptualizing a better owner matching method for iptables, and part of what we want to accomplish is associating incoming ssh connections with a user id. the *:22 socket is owned by root, but for every established session, a new sshd is spawned, which should drop privileges to effectively be the authenticated user. the following somewhat goes in that direction.
fishbowl:~> ps -eo uid,gid,euid,egid,suid,sgid,args|grep "[s]shd"
0 0 0 0 0 0 /usr/sbin/sshd
0 0 0 0 0 100 /usr/sbin/sshd
as you can see, there's an established ssh session for a user in the
"users" group (gid=100). what i am wondering is why the sgid
(saved gid) is set, but none of the *uid fields. furthermore, why sgid
and not gid or egid? after all, sgid should really be 0 and gid/egid
should be 100.
could someone here enlighten me? i am writing this disconnected from
the 'net, otherwise i'd (also) talk to the openssh people, and i will
forward this email to them as soon as i get an IP again.
oh, and for your info:
fishbowl:~> dpkg -l ssh | grep ^ii
ii ssh 3.0.2p1-8.3 Secure rlogin/rsh/rcp replacement
thanks for any insights!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
"oh what a tangled web we weave, when first we practice to deceive."
-- shakespeare
pgpJmbiITRyLH.pgp
Description: PGP signature
