diff --git a/ChangeLog b/ChangeLog index 6382bc870..4a9e013bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ 20020513 + - (stevesk) add initial README.privsep - (stevesk) [configure.ac] nicer message: --with-privsep-user=user - (djm) Add --with-superuser-path=xxx configure option to specify what $PATH the superuser receives. @@ -576,4 +577,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2111 2002/05/13 03:51:40 stevesk Exp $ +$Id: ChangeLog,v 1.2112 2002/05/13 03:57:04 stevesk Exp $ diff --git a/README.privsep b/README.privsep new file mode 100644 index 000000000..4f15cf433 --- /dev/null +++ b/README.privsep @@ -0,0 +1,53 @@ +Privilege separation, or privsep, is an experimental feature in +OpenSSH in which operations that require root privilege are performed +by a separate privileged monitor process. Its purpose is to prevent +privilege escalation by containing corruption to an unprivileged +process. More information is available at: + http://www.citi.umich.edu/u/provos/ssh/privsep.html + +Privilege separation is not enabled by default, and may be enabled by +specifying "UsePrivilegeSeparation yes" in sshd_config; see the +UsePrivilegeSeparation option in sshd(8). + +When privsep is enabled, the pre-authentication sshd process will +chroot(2) to "/var/empty" and change its privileges to the "sshd" user +and its primary group. You should do something like the following to +prepare the privsep preauth environment: + + # mkdir /var/empty + # chown root:sys /var/empty + # chmod 755 /var/empty + # groupadd sshd + # useradd -g sshd sshd + +/var/empty should not contain any files. + +configure supports the following options to change the default +privsep user and chroot directory: + + --with-privsep-path=xxx Path for privilege seperation chroot + --with-privsep-user=user Specify non-privileged user for privilege separation + +Privsep requires operating system support for file descriptor passing +and mmap(MAP_ANON). + +PAM currently only works with privsep on Linux. It does not function +on Solaris or HP-UX. PAMAuthenticationViaKbdInt does not function with +privsep. + +Note that for a normal interactive login with a shell, enabling privsep +will require 1 additional process per login session. + +Given the following process listing (from HP-UX): + + UID PID PPID C STIME TTY TIME COMMAND + root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 + root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] + stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 + stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash + +process 1005 is the sshd process listening for new connections. +process 6917 is the privileged monitor process, 6919 is the user owned +sshd process and 6921 is the shell process. + +$Id: README.privsep,v 1.1 2002/05/13 03:57:04 stevesk Exp $