Privilege Separation Design Question

Eric Anderle eanderle at umich.edu
Fri Jun 17 05:28:03 EST 2011


Hello all,

I have a question about the design of the privilege separation aspect of
openSSH. From what I understand, the interface between the privileged
process and the unprivileged one is implemented as a set of well-defined
operations with only a small subset of these operations enabled at any
given time. These operations are enabled and disabled depending on the
task at hand.

What I am wondering is why it was chosen to implement privilege
separation in this fashion, particularly the security implications of
this design. Also, I would like to know if security would be weakened by
allowing a slightly larger subset of operations (namely, PWNAM) to be executed at any
time.

Thank you in advance for your help, and please respond to my email
address (eanderle at umich.edu) and CC all addresses CC'd here.

Eric


More information about the openssh-unix-dev mailing list