Privilege Separation Design Question

Damien Miller djm at
Fri Jun 17 12:08:48 EST 2011

On Thu, 16 Jun 2011, Eric Anderle wrote:

> Hello all,
> I have a question about the design of the privilege separation aspect of
> openSSH. From what I understand, the interface between the privileged
> process and the unprivileged one is implemented as a set of well-defined
> operations with only a small subset of these operations enabled at any
> given time. These operations are enabled and disabled depending on the
> task at hand.
> What I am wondering is why it was chosen to implement privilege
> separation in this fashion, particularly the security implications of
> this design.

The design and motivation of privsep is described in the paper:

Operations are generally only exposed when they are needed to limit the
attack surface of the monitor, enforce correct protocol flow and reduce
the opportunities for a compromised slave to reconnoiter through or
request undesirable state changes of the monitor.

> Also, I would like to know if security would be weakened by allowing a
> slightly larger subset of operations (namely, PWNAM) to be executed at
> any time.

getpwnamallow() is used as a state-changing operation in the monitor,
as it is called right before user authentication starts so you'd have to
untangle that to begin with. 

Why would you want to call it more often? The user name isn't supposed
to change during a session.


More information about the openssh-unix-dev mailing list