Damien Miller | 263d68f | 2002-06-22 00:45:50 +1000 | [diff] [blame] | 1 | Privilege separation, or privsep, is method in OpenSSH by which |
| 2 | operations that require root privilege are performed by a separate |
| 3 | privileged monitor process. Its purpose is to prevent privilege |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 4 | escalation by containing corruption to an unprivileged process. |
Damien Miller | 263d68f | 2002-06-22 00:45:50 +1000 | [diff] [blame] | 5 | More information is available at: |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
| 7 | |
Damien Miller | 263d68f | 2002-06-22 00:45:50 +1000 | [diff] [blame] | 8 | Privilege separation is now enabled by default; see the |
| 9 | UsePrivilegeSeparation option in sshd_config(5). |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 10 | |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 11 | On systems which lack mmap or anonymous (MAP_ANON) memory mapping, |
| 12 | compression must be disabled in order for privilege separation to |
Damien Miller | 828b196 | 2002-06-22 00:48:02 +1000 | [diff] [blame] | 13 | function. |
| 14 | |
Kevin Steves | d486636 | 2002-06-24 16:49:22 +0000 | [diff] [blame] | 15 | When privsep is enabled, during the pre-authentication phase sshd will |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 16 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
Kevin Steves | 40b011c | 2002-06-26 00:43:57 +0000 | [diff] [blame] | 17 | and its primary group. sshd is a pseudo-account that should not be |
| 18 | used by other daemons, and must be locked and should contain a |
| 19 | "nologin" or invalid shell. |
| 20 | |
| 21 | You should do something like the following to prepare the privsep |
| 22 | preauth environment: |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 23 | |
| 24 | # mkdir /var/empty |
| 25 | # chown root:sys /var/empty |
| 26 | # chmod 755 /var/empty |
| 27 | # groupadd sshd |
Kevin Steves | 40b011c | 2002-06-26 00:43:57 +0000 | [diff] [blame] | 28 | # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 29 | |
| 30 | /var/empty should not contain any files. |
| 31 | |
| 32 | configure supports the following options to change the default |
| 33 | privsep user and chroot directory: |
| 34 | |
Damien Miller | 74cc5bb | 2002-05-22 11:02:15 +1000 | [diff] [blame] | 35 | --with-privsep-path=xxx Path for privilege separation chroot |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 36 | --with-privsep-user=user Specify non-privileged user for privilege separation |
| 37 | |
Tim Rice | e04ee92 | 2002-06-25 17:25:47 -0700 | [diff] [blame] | 38 | Privsep requires operating system support for file descriptor passing. |
| 39 | Compression will be disabled on systems without a working mmap MAP_ANON. |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 40 | |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 41 | PAM-enabled OpenSSH is known to function with privsep on Linux. |
Damien Miller | 263d68f | 2002-06-22 00:45:50 +1000 | [diff] [blame] | 42 | It does not function on HP-UX with a trusted system |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 43 | configuration. |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 44 | |
Tim Rice | 5287902 | 2004-06-27 20:50:35 -0700 | [diff] [blame] | 45 | On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication |
| 46 | part of privsep is supported. Post-authentication privsep is disabled |
| 47 | automatically (so you won't see the additional process mentioned below). |
Ben Lindstrom | c8c548d | 2003-03-21 01:18:09 +0000 | [diff] [blame] | 48 | |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 49 | Note that for a normal interactive login with a shell, enabling privsep |
| 50 | will require 1 additional process per login session. |
| 51 | |
| 52 | Given the following process listing (from HP-UX): |
| 53 | |
| 54 | UID PID PPID C STIME TTY TIME COMMAND |
| 55 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 |
| 56 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] |
| 57 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 |
| 58 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash |
| 59 | |
| 60 | process 1005 is the sshd process listening for new connections. |
| 61 | process 6917 is the privileged monitor process, 6919 is the user owned |
| 62 | sshd process and 6921 is the shell process. |
| 63 | |
Tim Rice | 5287902 | 2004-06-27 20:50:35 -0700 | [diff] [blame] | 64 | $Id: README.privsep,v 1.14 2004/06/28 03:50:36 tim Exp $ |