On Tue Jun 25, 2002 at 05:11:54PM +0200, Denis HAVLIK wrote:

> + I'm not sure if 3.1 has privsep support, but if it does, it probably
> + isn't as clean as the privsep code in 3.3. In short, unless you have
>
> What's this privsep anywat?

privsep is a really awesome feature. It needs a little more refining,
but it's very slick... all services should use a similar feature.

Basically, what it does is launch sshd as root just to bind to the
network interface (ie. port 22). For each connection, sshd launches a
child process that runs as an unprivileged user (the new sshd account
added by the update), which is chrooted into an empty directory
(/var/empty/sshd). This child does the authentication of the user on
the system. Once authentication is done, another child is launched
that runs as the user who logged in.

In other words, sshd no longer has to be setuid root (good). About
10% of the code in sshd now runs as root; the rest runs as sshd or
your uid, also good. This means if there are any holes in the code
(which there are, otherwise this mess wouldn't have happened so
quickly), the risk will be minimized. In theory, you should never
have a remote root hole in openssh ever again. If someone does manage
to break in, they are stuck with sshd privs in a chroot jail. Or,
worst case scenario, they may be able to get user privs if they can
get past the authentication.

Like I said, very cool feature and one that all daemons should have. =)

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 11 hours 30 minutes.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9GIoEIEPQ5f5vKv0RAlvmAJ9gwWBLHKSh/l6uSYdzuP4W/U+JOACgixOC zy8go5IDb0wtUe7PTwlGqmA= =eIE7 -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]