home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Book HomeSSH, The Secure ShellSearch this book
PreviousNext

3.6. As-User Access (userfile)

The SSH server usually runs as root (as does the client, in some circumstances). At various points, SSH needs to access files belonging to the source or target accounts. The root account privilege overrides most access controls, but not all. For instance, the root account on an NFS client doesn't necessarily have any special access to files on a remote filesystem. Another example is POSIX access control lists (ACLs); only the file owner can change a file ACL, and root doesn't override this restriction.

In Unix, there is a way for a process to take on the identity of a different user than its current user ID: the setuid system call. Root can use this facility to "become" any user. However, this call is irreversible for the duration of the process; a program can't regain its previous privileges, making setuid unsuitable for SSH. Some Unix implementations have a reversible form, seteuid (set effective user ID), but it isn't universally available and isn't part of POSIX.[35]

[35]Actually, POSIX does have the same feature under a different name, but it isn't always present, either.

To aid in portability, SSH1 and SSH2 use the reliably available setuid system call. The first time they need to access a file as a regular user, they start a subprocess. The subprocess calls setuid to change (irrevocably) to the desired uid, but the main SSH program continues running as root. Then, whenever SSH needs file access as that user, the main program sends a message to the subprocess, asking it to perform the needed operation and return the results. Internally, this facility is called the userfile module.

Keep this behavior in mind when debugging an SSH process with SunOS trace, Solaris truss, Linux strace, or another process tracer. By default, these programs trace only the topmost process, so always remember to trace subprocesses as well. (See the tracer's manpage for the appropriate option, though it is usually -f. ) If you forget to do this, and the problem is with file access, you might not see it, since the userfile subprocess performs the file-access system calls (open, read, write, stat, etc.).

PreviousHomeNext
3.5. Inside SSH-2Book Index3.7. Randomness
Library Navigation Links

Copyright © 2002 O'Reilly & Associates. All rights reserved.