2002-06-21 14:45:50 +00:00
|
|
|
Privilege separation, or privsep, is method in OpenSSH by which
|
|
|
|
operations that require root privilege are performed by a separate
|
|
|
|
privileged monitor process. Its purpose is to prevent privilege
|
2003-11-21 12:48:55 +00:00
|
|
|
escalation by containing corruption to an unprivileged process.
|
2002-06-21 14:45:50 +00:00
|
|
|
More information is available at:
|
2002-05-13 03:57:04 +00:00
|
|
|
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
|
|
|
|
2002-06-21 14:45:50 +00:00
|
|
|
Privilege separation is now enabled by default; see the
|
|
|
|
UsePrivilegeSeparation option in sshd_config(5).
|
2002-05-13 03:57:04 +00:00
|
|
|
|
2003-11-21 12:48:55 +00:00
|
|
|
On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
|
|
|
|
compression must be disabled in order for privilege separation to
|
2002-06-21 14:48:02 +00:00
|
|
|
function.
|
|
|
|
|
2002-06-24 16:49:22 +00:00
|
|
|
When privsep is enabled, during the pre-authentication phase sshd will
|
2002-05-13 03:57:04 +00:00
|
|
|
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
|
2002-06-26 00:43:57 +00:00
|
|
|
and its primary group. sshd is a pseudo-account that should not be
|
|
|
|
used by other daemons, and must be locked and should contain a
|
|
|
|
"nologin" or invalid shell.
|
|
|
|
|
|
|
|
You should do something like the following to prepare the privsep
|
|
|
|
preauth environment:
|
2002-05-13 03:57:04 +00:00
|
|
|
|
|
|
|
# mkdir /var/empty
|
|
|
|
# chown root:sys /var/empty
|
|
|
|
# chmod 755 /var/empty
|
|
|
|
# groupadd sshd
|
2002-06-26 00:43:57 +00:00
|
|
|
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
|
2002-05-13 03:57:04 +00:00
|
|
|
|
|
|
|
/var/empty should not contain any files.
|
|
|
|
|
|
|
|
configure supports the following options to change the default
|
|
|
|
privsep user and chroot directory:
|
|
|
|
|
2002-05-22 01:02:15 +00:00
|
|
|
--with-privsep-path=xxx Path for privilege separation chroot
|
2002-05-13 03:57:04 +00:00
|
|
|
--with-privsep-user=user Specify non-privileged user for privilege separation
|
|
|
|
|
2002-06-26 00:25:47 +00:00
|
|
|
Privsep requires operating system support for file descriptor passing.
|
|
|
|
Compression will be disabled on systems without a working mmap MAP_ANON.
|
2002-05-13 03:57:04 +00:00
|
|
|
|
2004-10-06 10:09:32 +00:00
|
|
|
PAM-enabled OpenSSH is known to function with privsep on AIX, HP-UX
|
|
|
|
(including Trusted Mode), Linux and Solaris.
|
2002-05-13 03:57:04 +00:00
|
|
|
|
2004-06-28 03:50:35 +00:00
|
|
|
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
|
|
|
|
part of privsep is supported. Post-authentication privsep is disabled
|
|
|
|
automatically (so you won't see the additional process mentioned below).
|
2003-03-21 01:18:09 +00:00
|
|
|
|
2002-05-13 03:57:04 +00:00
|
|
|
Note that for a normal interactive login with a shell, enabling privsep
|
|
|
|
will require 1 additional process per login session.
|
|
|
|
|
|
|
|
Given the following process listing (from HP-UX):
|
|
|
|
|
|
|
|
UID PID PPID C STIME TTY TIME COMMAND
|
|
|
|
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
|
|
|
|
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
|
|
|
|
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
|
|
|
|
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
|
|
|
|
|
|
|
|
process 1005 is the sshd process listening for new connections.
|
|
|
|
process 6917 is the privileged monitor process, 6919 is the user owned
|
|
|
|
sshd process and 6921 is the shell process.
|
|
|
|
|
2004-10-06 10:09:32 +00:00
|
|
|
$Id: README.privsep,v 1.15 2004/10/06 10:09:32 dtucker Exp $
|