Upcoming OpenSSH vulnerability

Phil Howard phil-openssh-unix-dev at ipal.net
Wed Jun 26 19:56:31 EST 2002 

On Wed, Jun 26, 2002 at 11:44:59AM +0200, Corinna Vinschen wrote:

| It's not privilege separation since that hasn't to be ported.  It's
| the OS dependend concepts used by privilege separation.  Regardless
| of what you or me are thinking about the different concepts of Windows
| and POSIX systems, it's (not only) Cygwin's problem to get the POSIX
| concepts working on a platform which is pretty different.  E. g. the
| concept of descriptor passing.  It's known on Windows systems and it's
| probably no problem to get that working on systems which are lacking
| any security concept (9x/Me).  It is a problem, though, to fit the
| Windows concept of handle passing into the POSIX concept of descriptor
| passing using sendmsg/recvmsg.  The problem is that the Windows concept
| requires the involved processes to have knowledges and permissions
| on each other, which is something hidden in the kernel on POSIX systems.
| Again, this isn't a question of good or bad, correct or incorrect, it's
| just a question of being different.  In this case, the differences are
| so that we still don't have an implementation of descriptor passing
| using sendmsg/recvmsg in Cygwin.  That's unfortunate and we're working
| on that (still discussing the best way to do it) but you won't change
| that in a minute.
| 
| Another concept is chroot.  This isn't known at all on Windows
| systems.  So our implementation is just a fake.  But due to that
| restriction in the underlying OS *we depend on* we have no other
| way to accomplish a chroot.
| 
| So what?  Do you just shrug and disallow Windows users the usage of
| sshd since you don't like the concept of the OS?  I'd find this
| attitude somewhat ignorant but I still hope that you actually don't
| mean it that way.

In the interim, Windows users might be stuck with whatever level of
security exists had Privilege Separation not been created.  Maybe a
direction to pursue is to not implement exactly what is done in POSIX
(since clearly if this is the case, Cygwin isn't completely POSIX),
but to implement something that isolates a process as much as can be
done within Windows.  Maybe that's a daemon running somewhere to do
the tasks, instead of a child in chroot.  And maybe instead of doing
descriptor passing, the process can just stay and shuffle data between
descriptors for now.

As for changing things in a minute, I don't see that as having been
the need to do.  Privilege Separation has been in OpenSSH for a couple
months or so as beta.  My understanding of beta is that serves not only
an opportunity to find bugs early, but for developers (those who are
porting OpenSSH to others than OpenBSD) to have a head start on the
task of porting and making decisions.

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------

More information about the openssh-unix-dev mailing list