Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
On Mon, Apr 28, 2003 at 02:10:16AM +0200, Robert Millan wrote:
> On Sun, Apr 27, 2003 at 04:49:53PM +0100, Colin Watson wrote:
> > I don't understand why. Privilege separation just requires a
> > separate user and group which is used for processing network data,
> > the ability for sshd running as root to setuid(), setgid(), and
> > setgroups() to that user and group, and an empty chroot. I didn't
> > think GNU was so different that this would be unavailable; in fact,
> > I would expect all of these features to be available on any Debian
> > system. The reason why privilege separation doesn't work on Linux
> > 2.0 was originally due to the lack of anonymous memory mapping, and
> > now that that has been worked around it's due to a simple bug
> > (#150976).
> > Could you please explain the problem on GNU in more detail?
> Neal just explained what i meant. Priviledge handling is one of the
> typical features that come out when trying to explain GNU's system
> core (Hurd/Glibc) dessign. [*]
> I assumed that Priviledge Separation was some kernel-specific feature
> introduced with Linux 2.1 that probably wasn't worth implement. but as
> you describe it seems simple. maybe we could have it to keep openssh
It's not a kernel feature, it's an OpenSSH feature. It is not something
you need to implement. It's simply a name for the way the code in sshd
that interacts with network data during authentication runs with as
close to zero privileges as possible to isolate the potential damage
caused by any programming errors in that (substantial) part of the code.
I appreciate that there are other things made possible by GNU's
architecture, but until someone writes the code privsep is still useful.
> Last time i tried, sshd failed to initialise a session on GNU with
> PrivSep turned on. did you mean a PrivSep special API needs to be
> added, or is sshd suposed to work on any sane (unlike this one ;))
Privsep should on the whole be fairly portable, although it occasionally
needs tweaking. It should be a perfectly normal porting task for you
guys though. Running sshd with the -ddd option (lots of debugging) may
provide some clues.
Colin Watson [email@example.com]