From 087815f8bcef00e7cfbc04089cc9c463a01e0f3d Mon Sep 17 00:00:00 2001 From: Brian Feldman Date: Tue, 14 Nov 2000 04:42:25 +0000 Subject: [PATCH] Disable /usr/bin/ssh being setuid root by default. Let the variable ENABLE_SUID_SSH being defined reenable it for those that want it. This follows discussion favoring the change from September. It is not usually necessary to be setuid root, possibly less safe, and less convenient (cannot use $HOSTALIASES, for example). Submitted by: jedgar --- etc/defaults/make.conf | 3 +++ secure/usr.bin/ssh/Makefile | 2 ++ share/examples/etc/make.conf | 3 +++ 3 files changed, 8 insertions(+) diff --git a/etc/defaults/make.conf b/etc/defaults/make.conf index 18a5a5ea585..bf2918a2677 100644 --- a/etc/defaults/make.conf +++ b/etc/defaults/make.conf @@ -57,6 +57,9 @@ BDECFLAGS= -W -Wall -ansi -pedantic -Wbad-function-cast -Wcast-align \ # To build ppp with normal permissions #PPP_NOSUID= true # +# To enable installing ssh(1) with the setuid bit turned on +#ENABLE_SUID_SSH= true +# # To avoid building various parts of the base system: #NO_CVS= true # do not build CVS #NO_BIND= true # do not build BIND diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index 10dcbf0f8f0..0b99611f058 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -5,7 +5,9 @@ SSHSRC= ${.CURDIR}/../../../crypto/openssh PROG= ssh BINOWN= root +.if defined(ENABLE_SUID_SSH) BINMODE=4555 +.endif MAN1= ssh.1 LINKS= ${BINDIR}/ssh ${BINDIR}/slogin MLINKS= ssh.1 slogin.1 diff --git a/share/examples/etc/make.conf b/share/examples/etc/make.conf index 18a5a5ea585..bf2918a2677 100644 --- a/share/examples/etc/make.conf +++ b/share/examples/etc/make.conf @@ -57,6 +57,9 @@ BDECFLAGS= -W -Wall -ansi -pedantic -Wbad-function-cast -Wcast-align \ # To build ppp with normal permissions #PPP_NOSUID= true # +# To enable installing ssh(1) with the setuid bit turned on +#ENABLE_SUID_SSH= true +# # To avoid building various parts of the base system: #NO_CVS= true # do not build CVS #NO_BIND= true # do not build BIND