preauth privsep logging via monitor
Damien Miller
djm at mindrot.org
Tue Jun 21 19:52:32 EST 2011
On Mon, 20 Jun 2011, Corinna Vinschen wrote:
> On Jun 20 14:58, Damien Miller wrote:
> > On Thu, 2 Jun 2011, Damien Miller wrote:
> >
> > > Hi,
> > >
> > > This diff (for portable) makes the chrooted preauth privsep process
> > > log via the monitor using a shared socketpair. It removes the need
> > > for /dev/log inside /var/empty and makes mandatory sandboxing of the
> > > privsep child easier down the road (no more socket() syscall required).
> >
> > FYI this has been committed and will be in the 20110621 snapshot. I
> > never received any test reports for users of portable OpenSSH, so please
> > give a snapshot a try and report back.
>
> I was on vacation when you asked for testing the first time, so I tested
> now. I tried from CVS, and it still builds and works fine on Cygwin.
>
> When you say "mandatory sandboxing of the privsep child", this hopefully
> doesn't imply that running the privsep child becomes mandatory, too.
I mean "mandatory" in the sense of Mandatory Access Control, not that privsep
itself would be mandatory :)
> This would break running ssh on Cygwin which still lacks descriptor passing
> via sendmsg/recvmsg.
>
> Out of curiosity, do you see a way to implement the privsep child
> without the need for descriptor passing? Maybe by passing the data over
> the socket instead of by passing the descriptor to the data?
That's possible but would add a bit of complexity to the monitor - right
now it operates synchronously on two fds, but if it were to process
network traffic too then it would need a non-blocking mainloop of its own.
-d
More information about the openssh-unix-dev
mailing list