OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security
Chris Adams
cmadams at hiwaay.net
Sat Dec 21 02:51:40 EST 2002
Once upon a time, Darren Tucker <dtucker at zip.com.au> said:
> Ben Lindstrom wrote:
> > No one has successfully show SIA + Privsep in any configuration.
>
> Toni Harbaugh-Blackford mentioned earlier that SIA requires root and
> wants to talk to the user on /dev/tty.
>
> I have a newer version of my previous PAM + privsep patch that fixes the
> controlling tty problem with the earlier patch. I'll post it shortly.
> The same mechanism might be usable for SIA.
The problem is that SIA doesn't just want root and a TTY, it also wants
to be in the user process. It does things like setting resource limits,
setting the login user (immutable under enhanced security and IIRC audit
modes), and (IIRC) logging stuff for audit (like the process ID).
Pre-auth privsep works just fine on Tru64 (so it should be enabled), but
post-auth won't work right in many/most cases.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the openssh-unix-dev
mailing list