David Potterveld
2002-Sep-04 17:24 UTC
uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
As I understand it, the idea behind privsep is to prevent malicious data from the client-side of a connection corrupting a server-side process running as root. To achieve that, it is important that post-auth privilege separation happen, ie, that the sshd process change uid to the (authenticated) user. But it is also true that this very same process can perform root-level work without risk of being compromised as long as this work happens BEFORE it processes network data from the client. Thus, I think that all the sia stuff and pty allocation should be handled by the forked sshd process while it's still root, and then change to the user before going further. Perhaps you might want to lump all the stuff like this into a routine child_root_sensitive_setup() to make it clear. The PRIVSEP macro is: #define PRIVSEP(x) (use_privsep ? mm_##x : x) As far as I can tell, this merely calls different routines, depending on use_privsep. I don't see how the user's sshd process can revert to being root. If that were so, then the whole idea of privilege separation is bogus. David Potterveld Argonne National Laboratory
Possibly Parallel Threads
- Allow --without-privsep build.
- uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
- Tru64 and OSF/1 Privsep patch
- no, I see now, tru64 pty ownership wrong on entry to setup_sia, may need /usr/lbin/chgpt (WAS Re: Tru64 privsep patch testing)
- OSF/1 or Tru64 patch for Privsep