X-Spam-Check-By: sourceware.org
Message-ID: <4602F68B.F9341EEE@dessent.net>
Date: Thu, 22 Mar 2007 14:35:07 -0700
From: Brian Dessent <brian AT dessent DOT net>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: sshd-started sessions don't see system environment?
References: <et7b9l$8pu$1 AT sea DOT gmane DOT org> <eteuvc$70h$1 AT sea DOT gmane DOT org> <45FB0184 DOT 9204D1A1 AT dessent DOT net> <etus37$rkn$1 AT sea DOT gmane DOT org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Shankar Unni wrote:

> (Though I wonder how it improves security to ignore env vars from
> /etc/profile or the system environment..)

Suppose you, as root, ran "/etc/init.d/openssh start", or whatever the
appropriate command to launch the ssh daemon on your *nix system, and
you happen to have some variable in the environment that exposes
something of value (like perhaps the name of a temporary file or socket,
or a login name on a remote system ... remember this is from OpenBSD
where they're paranoid about these things.)  Since the sshd daemon
process starts out life as a child of the shell where root started it,
it gets a copy of its environment, and so if it didn't nuke it and start
with a fresh empty environ then these things from the root account could
leak through into an unprivileged user account.

On windows this is not much of a threat situation because hardly anybody
ever starts a SYSTEM-owned shell to launch daemons, that's what
cygrunsrv is for.  So there's no clear way for anything to leak, but
it's still theoretically possible.  Clearing and starting from nothing
still makes sense, this is the *secure* shell after all.  The impedance
mismatch, if you can call it that, is that the traditional way of
setting environment in *nix is through the /etc/profile and ~/.profile,
which get sourced from the login shell, so the user gets approximately
the same environment when logging in from ssh or locally.  However on
windows the typical user environment is inherited from the invoking
process, or from the system via a list of values in the registry. 
Neither of these happen in the case of sshd.

I suppose a way to reconcile these would be a utility that you call from
~/.profile that enumerates the list of environ key/value pairs from the
registry and installs them into the process' environment.  Or maybe this
should be done from sshd instead of just passing through a list of
known-to-be-necessary values.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/