[luau] privilege separation

[Vince Hoang]

On Tue, Feb 11, 2003 at 10:30:09PM -0500, MonMotha wrote:
> OpenSSH has something known as privilage separation. What
> this does is have two processes running, with some sort of
> IPC between them (I'm not familiar with the internals). The
> daemon is initially run as root, binds to port 80 and drops as
> many capabilities as it can, then it spawns a child process to
> handle the actual authentication and shell setup. This part is
> THOUROUGHLY audited because it has to retain root privilages.
> However, the part that handles accepting connections and
> gathering authentication information (to be passed on to the
> root level process) binds to port 80 then setuid's to another
> uid (this is your privsep user, like sshd, pretty much totally
> unprivilaged) so that if there is a problem (such as a buffer
> overflow leading to arbitrary code execution) in that portion,
> it only yields access to the system as an unprivilaged user,
> rather than an instant root compromise.

My understanding is a bit different, but the concept is the same. There
are four PIDs that are involved in the process:
 1) parent PID that listens on tcp/22 as root
 2) monitor PID that gets forked off for each request as root
 3) preauth PID that runs as the ssh user
 4) postauth PID that runs as the authenticated user

At no time does the remote user interact directly with a
privileged process. Whenever any privleged access is required,
the monitor performs the actions on their behalf.

That is why for each authenticated user, you will see two sshd
processes, the monitor running as root, and the slave process
running as the authenticated user. You should only see a slave
process running as ssh before authentication. (Ssh to a machine
using password authentication, and just wait at the password
prompt while you run a ps in a different window.)

> It's a really cool idea.

And very complicated! I still do not feel like I grok privsep
well enough after several readings of Niels Provos' paper.

-Vince