Privilege separation
Dan Yefimov
dan at D00M.integrate.com.ru
Wed Oct 29 09:09:29 EST 2003
On Tue, 28 Oct 2003, Ben Lindstrom wrote:
> > > > Please consider including the attached patch in the next release. It
> > > > allows one to drop privilege separation code while building openssh by using
> > > > '--disable-privsep' switch of configure script. If one doesn't use privilege
> > > > separation at all, why don't simply allow him to drop privilege separation
> > > > support completely?
> > >
> > > no, this won't happen. you could do this for every runtime option.
> > >
> > Please forgive me my importunity, but your answer seems unclear to me. What
> > exactly could I do for every runtime option? And what's the exact reason for
> > rejecting the patch? It simply introduces yet one configuration option allowing
> > one to not compile code he doesn't want to use anyway and hence reduce the
> > resulting executable size.
>
> Introduces harder to read code when there was once clean and simple
> pathways.
The resulting code is no more hard to read than current one, and execution
pathways remain as clean and simple as currently.
> Introduces yet another set of #ifdef that need to be cared for.
Sure. Any other introduced optional feature would do that.
> Introduces yet another switch for someone to screw up and not realize
> they have.
If one doesn't understand any of existing configuration switches, he has two
options: either not use that switch (leaving the default value), or try to learn
about what is it for. The help text for switch I'm trying to introduce is IMHO
quite clear. If one knows nothing about privilege separation at all he just
won't use that switch, which will enable privilege separation code by default.
> Introduces yet more complexity in a system that is already complex.
> Introduces yet more pathways and configurations to test when testing the
> software.
>
Looks like you haven't even looked at the patch. In fact, the patch acts as if
'use_privsep' variable were replaced with a constant zero in the case of
configuring out privilege separation. What additional pathways, increased
complexity and additional configurations to test can be talked about in such
case?! As for configurations to test, if you test configuration where
'UsePrivsep no' line is present in the sshd_config file, you also test the case
where privilege separation is configured out. Please note also that every 'if
(!use_privsep)' statement is surrounded with '#ifndef DISABLE_PRIVSEP', and
likewise every 'if (use_privsep) { ... }' is surrounded with '#ifndef
DISABLE_PRIVSEP', so code maintenance is not greatly complexified.
> In general it introduces more headaches and does not "solve" any real
> problems.
>
It's vain that you have taken 'solve' in quotes and believe that the patch
doesn't solve any problems. Imagine a little router that is booted from
diskette or ZIP drive. Every excessive byte of storage taken by an executable is
important. Using privilege separation in that system doesn't make much sense. So
the ability to configure out 'dead' code and reduce executable size is important
in such case. Also many people may believe this feature to be useful.
> Just because one can make another switch does not mean it is a good thing.
>
Absolutely true.
--
Sincerely Your, Dan.
More information about the openssh-unix-dev
mailing list