[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Damien Miller
djm at mindrot.org
Tue Feb 3 08:07:54 EST 2004
On Mon, 2 Feb 2004, Dean Anderson wrote:
> This doesn't mean the privsep prevented an exploit. If it segfaulted, a
> little more fuzzing can get shell code to run. After that, you have at
> least non-root access, and you have sockets to the privsep processes that
> have root privilege.
>
> We know how to escalate non-root processes to root.
>
> So, the privsep didn't protect anything.
Get real.
My deadbolt door locks don't stop thieves who smash windows, by your
logic they "don't protect anything" either.
There is a world of difference between a break in a process running with
root privileges and a break in an unprivileged, chrooted process. It seems
that this value is self-evident to everyone but you.
Anyway, you are more than welcome to make your forked version which
removes security features, but please stop trolling on our lists.
-d
More information about the openssh-unix-dev
mailing list