Re: When does Privilege Seperation work.

From: Evert (linux@dds.nl)
Date: 06/26/02


From: "Evert" <linux@dds.nl>
Date: Wed, 26 Jun 2002 16:03:34 +0200


> In article <Pine.GSO.4.44.0206260855260.27100-100000
> @bellatrix.students.cs.uu.nl>, ajoostin@students.cs.uu.nl says...
> > Hi,
> >
> > Yesterday i've updated my server to openssh 3.3 after configuring my
server
> > using the instructions from README.privsep, but some questions remain:
> > 1. How do i know privilege sepration is really working on my system, for
> > instance which lines in the debug output from sshd indicate
> > running privilege seperation.
> > 2. Why do i need a sshd user and group? In the output of top or ps i see
> > no processes running with username sshd.
> >
> > I hope someone can answers this questions. I will supply some additional
> > information about my system, maybe that helps when anwsering my
questions.
> >
> > Greeting Arjan
> >
> > My system:
> > Linux dist : Linux From Scratch
> > Linux kernel : 2.4.17
> > Glibc version : 2.2.3
> > Openssh version : 3.3p1
> >
> >
>
> Hi,
>
> I have similar concerns:
> After an upgrade of openssh to 3.3 on my FreeBSD 4.6 server I can see
> that PrivilegeSeparation is tuned on:
>
> # ps -ax | grep sshd
> 83 ?? IWs 0:00.00 /usr/sbin/sshd
> 119 ?? IW 0:00.00 sshd: user [priv] (sshd)
> 121 ?? S 0:00.18 sshd: user@ttyp0 (sshd)
>
>
> On my Linux server (kerner 2.4.7) I don't see that [priv]
>
> # ps -ax | grep sshd
> 15090 ? S 0:00 /usr/sbin/sshd
> 15096 ? S 0:00 /usr/sbin/sshd
> 15098 ? S 0:00 /usr/sbin/sshd
> 15294 pts/6 S 0:00 grep sshd
>

same problem here:

when i do 'ps -aux | grep sshd' i get:

root 13944 0.0 0.7 2752 1264 ? S
10:26 0:00 /usr/sbin/sshd
root 13959 0.0 1.0 5988 1732 ? S
10:28 0:00 /usr/sbin/sshd
evert 13961 0.0 1.2 6116 2032 ? S
10:28 0:00 /usr/sbin/sshd
root 18369 0.0 0.3 1792 604 pts/1 S
10:47 0:00 grep sshd

so the child is still root??

'ps -lfxa' gives me:

140 0 13944 1 9 0 2752 1264 do_sel S ?
         0:00 /usr/sbin/sshd
140 0 13959 13944 9 0 5988 1732 unix_s S ?
         0:00 \_ /usr/sbin/sshd
140 501 13961 13959 9 0 6116 2032 do_sel S ?
         0:00 \_ /usr/sbin/sshd
000 501 13962 13961 9 0 2788 1596 wait4 S
pts/1 0:00 \_ -bash
0

so. the extra process is a child, but still running as root...
i did everything mentioned in readme.privsep though..

Evert



Relevant Pages

  • external storage of public keys and users
    ... on a server via sshd and I'd like to manage them easily in some ... that without sshd modifications like lpk. ... (openssh and putty at least, but not only the latest versions). ... implemented to support it and can it use private/public key ...
    (SSH)
  • When does Privilege Seperation work.
    ... Yesterday i've updated my server to openssh 3.3 after configuring my server ... running privilege seperation. ... Why do i need a sshd user and group? ...
    (comp.security.ssh)
  • When does Privilege Seperation work.
    ... Yesterday i've updated my server to openssh 3.3 after configuring my server ... running privilege seperation. ... Why do i need a sshd user and group? ...
    (comp.security.ssh)
  • Re: When does Privilege Seperation work.
    ... >> Yesterday i've updated my server to openssh 3.3 after configuring my ... >> running privilege seperation. ... Why do i need a sshd user and group? ...
    (comp.security.ssh)
  • Re: When does Privilege Seperation work.
    ... > Yesterday i've updated my server to openssh 3.3 after configuring my server ... > running privilege seperation. ... After an upgrade of openssh to 3.3 on my FreeBSD 4.6 server I can see ...
    (comp.security.ssh)