[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Damien Miller djm at mindrot.org
Tue Feb 3 08:07:54 EST 2004

On Mon, 2 Feb 2004, Dean Anderson wrote:

> This doesn't mean the privsep prevented an exploit. If it segfaulted, a 
> little more fuzzing can get shell code to run.  After that, you have at 
> least non-root access, and you have sockets to the privsep processes that 
> have root privilege.
> We know how to escalate non-root processes to root.
> So, the privsep didn't protect anything.  

Get real.

My deadbolt door locks don't stop thieves who smash windows, by your 
logic they "don't protect anything" either.

There is a world of difference between a break in a process running with 
root privileges and a break in an unprivileged, chrooted process. It seems 
that this value is self-evident to everyone but you.

Anyway, you are more than welcome to make your forked version which 
removes security features, but please stop trolling on our lists.


More information about the openssh-unix-dev mailing list