privsep no user fatal message
Michael Tokarev
mjt at tls.msk.ru
Sat Apr 20 23:11:15 EST 2002
Pekka Savola wrote:
>
> Hello,
>
> I updated the latest snapshot as RPM's to two of my systems. Basic stuff
> seems to be working ok.
>
> Privilege separation failed though, possibly because I didn't populate
> /var/empty with PAM entries. Privsep might be a bit raw in any case, at
> least for the portable.
Hmm... /var/empty is just this -- empty. It shouldn't be populated with
anything. Or else, if ssh requires some files in it's chroot, the chroot
jail should be separate, private to ssh directory. Anyway, putting PAM
files into chroot jail seems to be unreasonable at least -- having security-
related configs in jail is wrong. I don't know how privsep currently works,
but IMHO lowpriv process should NOT touch ANY system file(s) at all, all
auth (including PAM) stuff belongs to privileged process anyway.
Regards,
Michael.
More information about the openssh-unix-dev
mailing list