diff options
author | stevesk <stevesk> | 2002-05-13 03:57:04 +0000 |
---|---|---|
committer | stevesk <stevesk> | 2002-05-13 03:57:04 +0000 |
commit | 44eb5e6c726d7c65406a7acef52941130ad281f9 (patch) | |
tree | b9989ea2e987eb2d69d483b1839c0912b7e05e2b /README.privsep | |
parent | cff80be921d7d9c3167b72453d4dfb1e1773f2d5 (diff) | |
download | openssh-44eb5e6c726d7c65406a7acef52941130ad281f9.tar.gz |
- (stevesk) add initial README.privsep
Diffstat (limited to 'README.privsep')
-rw-r--r-- | README.privsep | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/README.privsep b/README.privsep new file mode 100644 index 00000000..4f15cf43 --- /dev/null +++ b/README.privsep @@ -0,0 +1,53 @@ +Privilege separation, or privsep, is an experimental feature in +OpenSSH in which operations that require root privilege are performed +by a separate privileged monitor process. Its purpose is to prevent +privilege escalation by containing corruption to an unprivileged +process. More information is available at: + http://www.citi.umich.edu/u/provos/ssh/privsep.html + +Privilege separation is not enabled by default, and may be enabled by +specifying "UsePrivilegeSeparation yes" in sshd_config; see the +UsePrivilegeSeparation option in sshd(8). + +When privsep is enabled, the pre-authentication sshd process will +chroot(2) to "/var/empty" and change its privileges to the "sshd" user +and its primary group. You should do something like the following to +prepare the privsep preauth environment: + + # mkdir /var/empty + # chown root:sys /var/empty + # chmod 755 /var/empty + # groupadd sshd + # useradd -g sshd sshd + +/var/empty should not contain any files. + +configure supports the following options to change the default +privsep user and chroot directory: + + --with-privsep-path=xxx Path for privilege seperation chroot + --with-privsep-user=user Specify non-privileged user for privilege separation + +Privsep requires operating system support for file descriptor passing +and mmap(MAP_ANON). + +PAM currently only works with privsep on Linux. It does not function +on Solaris or HP-UX. PAMAuthenticationViaKbdInt does not function with +privsep. + +Note that for a normal interactive login with a shell, enabling privsep +will require 1 additional process per login session. + +Given the following process listing (from HP-UX): + + UID PID PPID C STIME TTY TIME COMMAND + root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 + root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] + stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 + stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash + +process 1005 is the sshd process listening for new connections. +process 6917 is the privileged monitor process, 6919 is the user owned +sshd process and 6921 is the shell process. + +$Id: README.privsep,v 1.1 2002/05/13 03:57:04 stevesk Exp $ |