Re: priviledge seperation not working like before

From: James Dennis (jdennis@law.harvard.edu)
Date: 02/13/03

  • Next message: Wilson, Richard E: "RE: OPENSSH 3.4p1-3 on AIX 4.3.3" 
    Date: Thu, 13 Feb 2003 17:08:14 -0500
From: James Dennis <jdennis@law.harvard.edu>
To: "list1@0ff.org" <list1@0ff.org>, secureshell@securityfocus.com

    What's the deal with configure these days (say it like Jerry Seinfeld)?

    You won't see anything pointing to /var/empty because that is the
    processes chrooted directory. /var/empty isn't actually open until you
    try to list files in there. An easy way to confirm this would be to
    remove /var/empty. If you can't login, chances are, it's working. I'm
    sure the list will provide a better method, but that's a dirty way to check.

    -James

    list1@0ff.org wrote:
    > In English that means what? I did an lsof on all the pids ..saw nothing
    > pointing to /var/empty...its working? It would be especially helpful to
    > have a way to confirm it. And what's the deal with the ./configure not
    > failing if you specify a non existent user as the privsep-user? Ideas?
    >
    > thanks again,
    >
    > Cherie
    >
    >
    > At 02:31 PM 2/13/2003 -0600, you wrote:
    >
    >
    >> On Thu, 13 Feb 2003, list1@0ff.org wrote:
    >>
    >> > Hello--
    >> >
    >> > I just realized that my previously installed sshd is NOT using
    >> privilege
    >> > separation..So..I went to reconfigure it, and make sure it was working
    >> > correctly.
    >> >
    >> > Configure:
    >> >
    >> > ./configure --with-tcp-wrappers --with-md5-passwords --with-pam
    >> > --with-privsep-path=/var/empty --with-privsep-user=sshd
    >> >
    >> > Yes, sshd exists, yes /var/empty exists, yes yes yes..
    >> >
    >> > my current sshd_conf does reads:
    >> >
    >> > PAMAuthenticationViaKbdInt no <-- per the README.privsep
    >> > and
    >> > UsePrivilegeSeparation yes <-- obvious
    >> >
    >> > and here is the current ps aux | grep sshd:
    >> >
    >> > root 24673 0.0 0.1 2644 1156 ? S Feb12 0:00
    >> /usr/sbin/sshd
    >> > root 254 0.0 0.2 3412 1644 ? S Feb12 0:00
    >> /usr/sbin/sshd
    >> > where 5321 0.0 0.2 3468 1876 ? S Feb12 0:00
    >> /usr/sbin/sshd
    >> >
    >> > (pids are randomized, btw)
    >> >
    >>
    >> I suspect that one is the parent sshd that listens for new request then
    >> you have the 'Prived' and 'Unprived' children (which I assume is pid 254
    >> and 5321). So for one connection you have 3 sshd runninng.. for two you
    >> have 5, etc..
    >>
    >> > I am at a loss, configure shows no errors, make works, etc.. One
    >> thing I
    >> > noticed that was most odd was that substituting a NON-existent user in
    >> > place of sshd in the above configuration did NOT produce an error
    >> >
    >> > ssh version is OpenSSH_3.5p1
    >> > linux box running 2.4.19-grsecurity kernel that _has_ had this
    >> working before
    >> >
    >>
    >> The issue is that setproctitle() is not implemented for Linux.
    >>
    >> Off of OpenBSD you get:
    >>
    >> 10071 ?? Is 0:06.41 /usr/sbin/sshd
    >> 30830 ?? Is 0:00.06 sshd: mouring [priv] (sshd)
    >> 31043 ?? I 1:12.01 sshd: mouring@ttyp0 (sshd)
    >>
    >>
    >> the [priv] is running as root and the other is runnig as mouring. As a
    >> result the few things that require root privs are passed up the [priv]
    >> process to be handled.
    >>
    >>
    >> - Ben
    >
    >
    >
    > 

    -- 
James Dennis
Harvard Law School
"Not everything that counts can be counted,
and not everything that can be counted counts."