deprecation of UsePrivilegeSeparation breaks container use cases

Aleksandar Kostadinov akostadinov at gmail.com
Mon Aug 7 05:44:26 AEST 2017


Hello,

there are emerging container services that restrict regular users to
launch containers under some random uid for security reasons. If such
user needs sshd in their container, they need to turn off
`UsePrivilegeSeparation` so that sshd is executed as the current uid
and not `root`.

I understand that privilege separation [1] is more than changing the
process uid. On the other hand, it is unreasonable to expect
administrators to let regular users execute privileged code of any
sort. If they do so, this would compromise security of all other
users.

And I can't see how privilege separation can work without giving
regular users elevated privileges of some sort. Especially giving
users `chroot` privileges would be highly dangerous.

Unfortunately I see that in 7.5 the privilege separation option is
being deprecated [2]. Other users have raised concerns earlier [3][4]
but I don't find much explanation why they were not taken into
account.

I think it will be beneficial for a lot of users to keep the option
present. Container users becoming more and more every day thus IMO
container use cases need to be very well covered.

Do you have other ideas how container use cases can be covered in the
future without giving the users dangerous privileges?

Thank you,
Aleksandar

[1] http://www.citi.umich.edu/u/provos/ssh/privsep.html
[2] https://www.openssh.com/txt/release-7.5
[3] https://news.ycombinator.com/item?id=13213174
[4] https://lwn.net/Articles/717553/


More information about the openssh-unix-dev mailing list