Privilege separation

Dan Yefimov dan at
Wed Oct 29 09:09:29 EST 2003

On Tue, 28 Oct 2003, Ben Lindstrom wrote:

> > > > 	Please consider including the attached patch in the next release. It
> > > > allows one to drop privilege separation code while building openssh by using
> > > > '--disable-privsep' switch of configure script. If one doesn't use privilege
> > > > separation at all, why don't simply allow him to drop privilege separation
> > > > support completely?
> > >
> > > no, this won't happen. you could do this for every runtime option.
> > >
> > Please forgive me my importunity, but your answer seems unclear to me. What
> > exactly could I do for every runtime option? And what's the exact reason for
> > rejecting the patch? It simply introduces yet one configuration option allowing
> > one to not compile code he doesn't want to use anyway and hence reduce the
> > resulting executable size.
> Introduces harder to read code when there was once clean and simple
> pathways.

The resulting code is no more hard to read than current one, and execution 
pathways remain as clean and simple as currently.

> Introduces yet another set of #ifdef that need to be cared for.

Sure. Any other introduced optional feature would do that.

> Introduces yet another switch for someone to screw up and not realize
> they have.

If one doesn't understand any of existing configuration switches, he has two 
options: either not use that switch (leaving the default value), or try to learn 
about what is it for. The help text for switch I'm trying to introduce is IMHO 
quite clear. If one knows nothing about privilege separation at all he just 
won't use that switch, which will enable privilege separation code by default.

> Introduces yet more complexity in a system that is already complex.
> Introduces yet more pathways and configurations to test when testing the
> software.
Looks like you haven't even looked at the patch. In fact, the patch acts as if 
'use_privsep' variable were replaced with a constant zero in the case of 
configuring out privilege separation. What additional pathways, increased 
complexity and additional configurations to test can be talked about in such 
case?! As for configurations to test, if you test configuration where 
'UsePrivsep no' line is present in the sshd_config file, you also test the case 
where privilege separation is configured out. Please note also that every 'if 
(!use_privsep)' statement is surrounded with '#ifndef DISABLE_PRIVSEP', and 
likewise every 'if (use_privsep) { ... }' is surrounded with '#ifndef 
DISABLE_PRIVSEP', so code maintenance is not greatly complexified.

> In general it introduces more headaches and does not "solve" any real
> problems.
It's vain that you have taken 'solve' in quotes and believe that the patch 
doesn't solve any problems. Imagine a little router that is booted from 
diskette or ZIP drive. Every excessive byte of storage taken by an executable is 
important. Using privilege separation in that system doesn't make much sense. So 
the ability to configure out 'dead' code and reduce executable size is important 
in such case. Also many people may believe this feature to be useful.

> Just because one can make another switch does not mean it is a good thing.
Absolutely true.

    Sincerely Your, Dan.

More information about the openssh-unix-dev mailing list