uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)

David Potterveld POTTERVELD at ANLMEP.PHY.ANL.GOV
Thu Sep 5 03:24:54 EST 2002


As I understand it, the idea behind privsep is to prevent malicious data from
the client-side of a connection corrupting a server-side process running as
root. To achieve that, it is important that post-auth privilege separation
happen, ie, that the sshd process change uid to the (authenticated) user.
But it is also true that this very same process can perform root-level work
without risk of being compromised as long as this work happens BEFORE
it processes network data from the client. Thus, I think that all the sia
stuff and pty allocation should be handled by the forked sshd process while
it's still root, and then change to the user before going further.

Perhaps you might want to lump all the stuff like this into a routine
child_root_sensitive_setup() to make it clear.

The PRIVSEP macro is:
#define PRIVSEP(x)      (use_privsep ? mm_##x : x)

As far as I can tell, this merely calls different routines, depending on
use_privsep. I don't see how the user's sshd process can revert to being root.
If that were so, then the whole idea of privilege separation is bogus.

David Potterveld
Argonne National Laboratory




More information about the openssh-unix-dev mailing list