Fwd: privsep in ssh

Russell Coker russell at coker.com.au
Mon Sep 22 16:33:29 EST 2003

On Mon, 22 Sep 2003 15:55, Damien Miller wrote:
> > > 1) in autoconf as appropriate.
> > >
> > > Comments?
> >
> > Sounds reasonable to me.
> How can we unambiguously identify SELinux at ./configure time? Does it
> return a different platform string?

Detecting SE Linux at ./configure time is wrong.  Using a non-SE machine to 
compile programs for a SE machine (or the other way around) is quite common.

We can detect SE Linux at run time, but there seems little point in that.  The 
issue of privsep for root doesn't seem to add enough cost to make it worth 
such efforts to avoid it.

Having an option for ./configure that a distribution vendor can use to 
determine this is reasonable.  But I'm still in favour of just using a flag 
in sshd_config to determine whether privsep should be used.  I think that if 
the sshd_config says to use privsep then it should be used regardless of what 
user you are logging in as or the OS that's running on the machine.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the openssh-unix-dev mailing list