OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security

Chris Adams cmadams at hiwaay.net
Sun Dec 22 09:42:32 EST 2002


Once upon a time, Darren Tucker <dtucker at zip.com.au> said:
> Chris Adams wrote:
> > The problem is that SIA doesn't just want root and a TTY, it also wants
> > to be in the user process.  It does things like setting resource limits,
> > setting the login user (immutable under enhanced security and IIRC audit
> > modes), and (IIRC) logging stuff for audit (like the process ID).
> 
> Ah, OK. Obviously no amount of futzing around with another process
> running as root will help in that case.
> 
> Forget I mentioned it.

No problem.

In theory, it would be possible to recreate the steps that the SIA calls
do, but then you are tied to a particular SIA interface.  SIA is sort of
like PAM, an abstracted interface that loads modules to do the work.
There are base (BSD) security, enhanced (C2) security, and audit modules
included with the base OS, and LDAP is available as an add on, plus you
can program your own.

I was going to download the current snapshot to update my SIA minor
cleanup patch (disables post-auth privsep for SIA so at least pre-auth
privsep works, takes out a couple of unnecessary things, makes
everything follow the coding guidelines that I didn't read before
submitting), but the latest snapshot on the FTP site is from 1 Nov, and
I was prompted for a password from the CVS tree.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.



More information about the openssh-unix-dev mailing list