sandbox pre-auth privsep child

Alex Bligh alex at
Thu Jun 23 01:21:20 EST 2011

--On 22 June 2011 22:53:05 +1000 Damien Miller <djm at> wrote:

> The idea here is to heavily restrict what the network-face pre-auth
> process can do. This was the original intent behind dropping to a
> dedicated uid and chrooting to an empty directory, but even this still
> allows a compromised slave process to make new network connections and
> try to exploit local kernel attack surface

Perhaps not ready for primetime, but at least on Linux have you looked at
CLONE_NEWNET etc.? This generates a child with (essentially) an unconfigured
network stack; the other CLONE_XXX flags may be useful too.

Alex Bligh

More information about the openssh-unix-dev mailing list