README.privsep
Jim Knoble
jmknoble at pobox.com
Tue Jun 25 09:25:24 EST 2002
Circa 2002-Jun-24 09:52:28 -0700 dixit Kevin Steves:
: This is included in the release now; any feedback?
[...]
: When privsep is enabled, during the pre-authentication phase sshd will
: chroot(2) to "/var/empty" and change its privileges to the "sshd" user
: and its primary group. You should do something like the following to
: prepare the privsep preauth environment:
:
: # mkdir /var/empty
: # chown root:sys /var/empty
I would rather say here:
chown 0 /var/empty
chgrp 0 /var/empty
since several systems differ in which group is GID 0 (root, wheel,
sys), and since a few systems differ in the syntax that chown accepts
for specifying both UID and GID together ('chown uid:gid' versus 'chown
uid.gid'). Recommending the above syntax avoids the problem entirely.
: # chmod 755 /var/empty
: # groupadd sshd
: # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd
I'd also recommend '-s /dev/null' here, e.g.:
useradd -g sshd -c 'sshd privsep' -d /var/empty \
-s /dev/null sshd
since '/sbin/nologin' cannot be guaranteed to be present, nor is
'/bin/false' always a binary program (i've seen some cases where it's a
shell script).
[...]
: Privsep requires operating system support for file descriptor passing
: and mmap(MAP_ANON).
:
: PAM-enabled OpenSSH is known to function with privsep on Linux.
Would it be appropriate here to note that setting 'Compression no' in
/etc/sshd_config is necessary on Linux systems with 2.2.x or older
kernels?
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020624/cdb2f68c/attachment.bin
More information about the openssh-unix-dev
mailing list