[luau] privilege separation

MonMotha monmotha at indy.rr.com
Thu Feb 13 19:21:01 PST 2003 

Vince Hoang wrote:
> My understanding is a bit different, but the concept is the same. There
> are four PIDs that are involved in the process:
>  1) parent PID that listens on tcp/22 as root
>  2) monitor PID that gets forked off for each request as root
>  3) preauth PID that runs as the ssh user
>  4) postauth PID that runs as the authenticated user

As I said, I'm not exactly familiar with the internals, just the concept.

> 
> At no time does the remote user interact directly with a
> privileged process. Whenever any privleged access is required,
> the monitor performs the actions on their behalf.

Yep, the idea is that an unauthenticated user doesn't get to talk directly to a 
process holding root privilages, and once authenticated, only gets to do so for 
the purposes of getting their shell (which of course the first thing that 
happens is a call to setuid to completely drop root privilages).

> 
> That is why for each authenticated user, you will see two sshd
> processes, the monitor running as root, and the slave process
> running as the authenticated user. You should only see a slave
> process running as ssh before authentication. (Ssh to a machine
> using password authentication, and just wait at the password
> prompt while you run a ps in a different window.)
> 
> 
>>It's a really cool idea.
> 
> 
> And very complicated! I still do not feel like I grok privsep
> well enough after several readings of Niels Provos' paper.

It certainly is complicated, and almost screams hack (but it's the good kind of 
hack, not a kludge).  The real solution would of course to be fix the OS somehow 
(providing a uniform method for authenticating, login, etc), but then that would 
break all shreds of backwards compatibility not to mention require putting all 
your eggs in one basket with regard to security.  The way things are now, you 
have numerous options as to authentication.  On my "Secureized" systems, I 
usually just use traditional shadow passwords with OpenSSH and privilage 
separation.  Of course, pretty much everything else runs chrooted (and who 
knows, maybe even ssh, but you'd never be able to tell, now would you?)

> 
> -Vince

--MonMotha

More information about the LUAU mailing list