Closed andreas1288 closed 3 months ago
TL;DR It is not recommended to start sshd as the root user, as this will cause potential problems.
When there is a connection, sshd
will start a child process sshd-session
. If sshd
is not started as the root user, the child process will inherit the status (uid/gid/selinux context and etc.) from the parent process; otherwise, sshd
will call set(e)uid
, set(e)gid
, initgroups
and a series of selinux function calls to set the child process to the same status as the logged-in user.
However, the situation is very different on Termux.
com.termux
(unless the requested username is root).initgroups
implementation will only set AID_APP_TERMUX
(1xxxx) to the child process, and will not set other group ids that com.termux
has, such as AID_INET
(3003), AID_EVERYBODY
(9999), AID_SHARED_GID_TERMUX
(5xxxx) and so on, to the child process, which will at least cause network connection issues.com.termux
, causing many programs not working properly.I think it is better to prohibit sshd
from starting with root user. When the user really needs to log in as the root user, the user should start sshd with a non-root user, log in to Termux as a normal user, and use su
or sudo
to switch the user to root.
CC: @agnostic-apollo @sylirre @twaik @truboxl
I agree. Starting sshd as root should be disabled.
For me the main use case for running sshd as root is the export of the filesystem for an sshfs client. Without root the access is very limited, outside from termux of course. Could it be an option to run only the sshfs subsystem as root?
I only run ssh
client as root, and not the sshd
server, so don't have experience with its issues.
- will not set other group ids that com.termux has, such as AID_INET (3003), AID_EVERYBODY (9999), AID_SHARED_GID_TERMUX (5xxxx) and so on, to the child process, which will at least cause network connection issues.
Root user processes started by Magisk and AOSP provided su
, etc don't have users set either, as root
user already has full access and doesn't need any users in its groups. Internet works fine.
- which will result in the child process not having the security context of com.termux, causing many programs not working properly.
That would also be a problem if users run commands directly with su
/sudo su
too instead of through sshd
.
For Termux, if sshd
is run with root
user, it should act just the same as if running with termux
user. The uid:gid
, groups
and selinux context
should all be inherited from parent process, whatever they are for the parent root
user process. Ideally, uid:gid
would be root:root
, groups
won't be set, and selinux context
would be u:r:magisk:s0
or u:r:su:s0
. I haven't looked at sshd
sources, but I assume they can be automatically inherited as you said.
Since normally, sshd
won't be run as root
, so incoming clients would only get termux
user access, so not a security issue for them. If someone is rooted, and runs sshd
with root
, they should be well aware of the risks. A check in auth.c.patch
could be added where if current process is root
owned, then root
user must be passed for authentication. as well.
Root user processes started by Magisk and AOSP provided
su
, etc don't have users set either, asroot
user already has full access and doesn't need any users in its groups. Internet works fine.
There will indeed be no network connection problems under the root user, but if a program starting as root user executes set(e)uid
, set(e)gid
and initgroups
to the uid of com.termux
, initgroups
will not automatically set INET group to this program so network issues will occur.
Since normally,
sshd
won't be run asroot
, so incoming clients would only gettermux
user access, so not a security issue for them. If someone is rooted, and runssshd
withroot
, they should be well aware of the risks. A check inauth.c.patch
could be added where if current process isroot
owned, thenroot
user must be passed for authentication. as well.
I think this is more reasonable than disabling sshd from starting as root. I'll submit a patch to implement it.
but if a program starting as root user executes set(e)uid, set(e)gid and initgroups to the uid of com.termux, initgroups will not automatically set INET group to this program so network issues will occur.
Oh, that transition would be a far more complex issue than just groups and would require patching sepolicies. It is certainly doable, I have a local implementation but would be out of scope. If a user is running sshd
as root, then they should run all processes as root too, but if they really want to run as termux
user, they can send a RUN_COMMAND
intent from the root
process and intent commands would run as the normal termux
user when Temux app starts a new shell for them by forking from the main app process itself.
https://android.stackexchange.com/a/217104
I think this is more reasonable than disabling sshd from starting as root. I'll submit a patch to implement it.
Great. Thanks.
I have been running sshd as root for a long time, most recently on Android 14 with GrapheneOS, with a quite recent patch level. Until I updated from openssh_9.7p1_aarch64.deb to openssh_9.8p1-2_aarch64.deb, I never encountered any problems. It is unclear to me why this change is causing such issues. Was the update from openssh 9.7 to 9.8 so significant? Or is this in preparation for new Android versions? The solution doesn't have to be perfect. If some edge cases result in a program crash, it is totally acceptable in such an environment. However, due to this regression, I really don't want to stay on the old version for too long. I am also running another sshd under the "normal" Termux user on a different port.
Could you please ensure that sshd continues to work under root?
Thank you very much for your assistance.
Was the update from openssh 9.7 to 9.8 so significant? Or is this in preparation for new Android versions?
It was significant in so far as that it fixed a recoccuring security vulnerability dubbed "Regresshion" reoccuring as far back as openssh-8.5p1. Which can allow unauthenticated remote code execution. Android/Termux isn't currently known to be vulnerable to the CVE, but the suggested remediation is still to update OpenSSH.
Probably the changes that are relevant to issues with "sshd as root" is the work to "separate sshd into a listener and a session binary", which removed the use_privsep
option that we were previously setting to OFF
Please test the debs in https://github.com/termux/termux-packages/actions/runs/9829064472/job/27133707099. Thanks!
(This is a pre-written, saved reply.) If you want to test this PR please download the appropriate DEB package(s) from the build artifacts of the associated PR's latest CI run.
After downloading the build artifact, make sure to unzip
and un-tar
it.
```bash # finding out what architecture you need # architecture is just below the TERMUX_VERSION termux-info # e.g. # [...] # TERMUX_MAIN_PACKAGE_FORMAT=debian # TERMUX_VERSION=0.118.0 # TERMUX__USER_ID=0 # Packages CPU architecture: # aarch64 # [...] # ======================= # make sure `unzip` and `tar` are installed using pkg install unzip tar # unzip the artifact (if you have a different architecture this might be arm, i686 or x86_64 instead) unzip debs-aarch64-*.zip # untar the artifact tar xf debs-aarch64-*.tar # You should now have a debs/ directory in your current working directory # Install the packages from the local source using pkg install -- ./debs/*.deb # to clean up, you can remove the debs/ directory, .tar file and .zip file rm -rfi debs debs-aarch64-*.zip debs-aarch64-*.tar ```
If you want to test this PR please download the appropriate DEB package(s)
If users have github-cli (gh) set up they can also download the deb tar with something like gh run download 9829064472 --pattern "debs-$(dpkg --print-architecture)-*"
(where 9829064472 is the job id same as in the url: https://github.com/termux/termux-packages/actions/runs/9829064472).
Maybe we should create a termux-devel
package with this type of wrapper script, and for example a script for simplifying rebasing and merging PRs from the command line.
Everything works perfect. Login as root, exporting fs with sshfs under root. Files can be uploaded and downloaded correctly. uids and gids seams to be right. Thanks a lot! That was a nice birthday present, sorry party yesterday...
Problem description
See also https://github.com/termux/termux-packages/issues/20769. Thank you for the fast reaction! Unfortunately it seams that the error occurs on multiple places.
After updating to openssh_9.8p1-3_aarch64.deb the openssh daemon starts under root. However, on connection of a client the fork exits with
Privilege separation user sshd does not exist
the client gets the error
kex_exchange_identification: read: Connection reset by peer
What steps will reproduce the bug?
Start ssh with as root.
sudo sshd
Use the following config file:
What is the expected behavior?
No response
System information