On Sat, Mar 30, 2024 at 1:07 PM Kevin Kofler via devel <
devel(a)lists.fedoraproject.org> wrote:
> Before making each of these safer we should make sshd not link
with so
> many things in the first place.
Indeed. E.g., Arch Linux does not transitively link sshd against liblzma.
Fedora does because of this innocuous-looking patch:
https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-s...
which is what ultimately allowed this to happen. This drags in libsystemd
for sd_notify, and libsystemd is linked to way too much stuff including
liblzma. Either we need a split libsdnotify that contains only sd_notify,
or
we should just stop using sd_notify at all. It increases the attack
surface
of daemons a lot just to allow the service to be "Type=notify" rather than
one of the other available approaches. Arch Linux is also systemd-based
nowadays, but still does not link OpenSSH against libsystemd.
We have an upstream-adjusted version of this patch, see
https://bugzilla.mindrot.org/show_bug.cgi?id=2641
I'm OK to bring the updated version of this script to Fedora as soon as it
is finalized.
--
Dmitry Belyavskiy