Russ Allbery <r...@debian.org> writes: > Micah Anderson <mi...@debian.org> writes: > >> If you add the option ProtectSystem=yes to the service file, then the >> daemon will not have the ability to write to /usr. > > How does this interact with the OpenSSH daemon, which spawns user shells? > I was (blindly) assuming that these security settings would be inherited > by all child processes of the spawned process, so you'd end up with shells > that also had read-only /usr, possibly interfering with later sudo, su, or > other similar operations.
That is a good point. Unless I did something wrong, I just set this in my system's ssh service file, like this: [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure ProtectSystem=yes [Install] WantedBy=multi-user.target Alias=sshd.service Then I did # systemctl daemon-reload # systemctl reload ssh then I did: $ ssh root@localhost # touch /usr/foo # it seemed to work fine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
