Date: Wed, 26 Jun 2002 11:24:04 -0700 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: steve-lists@reentrant.co.uk Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <20020626182406157.AAA771@empty1.ekahuna.com@pc02.ekahuna.com> In-Reply-To: <20020626150645.A8340@chrome.intranet> References: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com>; from pjklist@ekahuna.com on Wed, Jun 26, 2002 at 05:11:32AM -0700
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Jun 2002, at 15:06, steve-lists@reentrant.co.uk boldly uttered: > * Philip J. Koenig <pjklist@ekahuna.com> [06m26d02y 13:32]: > > According to the steps outlined earlier to ascertain whether privsep > > is working, in my case it seems not to be. (I am of the impression > > that the path shown at the end should now show "/usr/empty"): > > > > > > #lsof -p <sshd pid> |grep rtd > > sshd 109 root rtd VDIR 13,196608 1024 2 / > > This took me a while to figure out, but my understanding is this: > > The parent sshd process, still runs as root. > During login (i.e. when there is a password prompt being displayed), > sshd runs a less-privileged process, which is marked with [net] in the > output of ps. This handles the connection process and, at least for my > install of /usr/ports/security/openssh, runs as nobody in > /usr/local/empty. For example: > > nobody 1068 6.1 3.7 3524 2092 ?? S 2:52PM 0:01.65 sshd: steve [net] (sshd) > > The output of lsof -p 1068 | grep rtd is then : > > sshd 1068 nobody rtd VDIR 116,131078 512 45177 /usr/local/empty > > which I think is what you were expecting before. > > After authentication, there are two process per session: a privileged > process, marked with [priv] which is run as root; and another process > which runs as the user which is logging in. The latter looks like > "sshd: user@tty (sshd)". > > The above is just my understanding of it, but I hope that helps, > > Steve. I checked with lsof while an ssh session was in progress, and it still shows that all ssh-related processes are rooted at "/". There also are no processes owned by "sshd", only by root (marked with 'priv' as you mention, although clearly that doesn't have any security benefit per se) or the user logged in via ssh. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626182406157.AAA771>