Re: Openssh security
From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: Sat, 27 Sep 2003 13:59:56 GMT
> begin on Wed, 24 Sep 2003 01:08:18 +0000, Nico Kadel-Garcia wrote:
> "PrivSep" code, which was supposed to *enhance* security but has turned
>>out to be a huge bug source.
> The point of PrivSep is to isolate the potentially serious bugs into one
> smallish chunk of code. Imagine the nightmare if the rest of the code was
> also a source of potentially serious bugs.
Imagine if we replaced "sendmail" with "cat".
That would also be small and highly modular and therefore more secure,
but then we'd need to rebuild much of the complexity to get it to do
what we actually wanted to do, from scratch, and add a lot of new bugs
Now imagine we did it without broad testing across a variety of
platforms. While it worked just *fine* on OpenBSD, under which it was
developed, it's been extremely fragile under quite a few platforms:
chroot is a rather complex, low-level, system-dependent opeeration, and
therefore tough to port successfully to all the OpenSSH platforms. And
we're still paying for that with failed installations.