198937SdesPrivilege separation, or privsep, is method in OpenSSH by which 298937Sdesoperations that require root privilege are performed by a separate 398937Sdesprivileged monitor process. Its purpose is to prevent privilege 4126274Sdesescalation by containing corruption to an unprivileged process. 598937SdesMore information is available at: 698937Sdes http://www.citi.umich.edu/u/provos/ssh/privsep.html 798937Sdes 898937SdesPrivilege separation is now enabled by default; see the 998937SdesUsePrivilegeSeparation option in sshd_config(5). 1098937Sdes 11126274SdesOn systems which lack mmap or anonymous (MAP_ANON) memory mapping, 12126274Sdescompression must be disabled in order for privilege separation to 1398937Sdesfunction. 1498937Sdes 1599060SdesWhen privsep is enabled, during the pre-authentication phase sshd will 1698937Sdeschroot(2) to "/var/empty" and change its privileges to the "sshd" user 1799060Sdesand its primary group. sshd is a pseudo-account that should not be 1899060Sdesused by other daemons, and must be locked and should contain a 1999060Sdes"nologin" or invalid shell. 2098937Sdes 2199060SdesYou should do something like the following to prepare the privsep 2299060Sdespreauth environment: 2399060Sdes 2498937Sdes # mkdir /var/empty 2598937Sdes # chown root:sys /var/empty 2698937Sdes # chmod 755 /var/empty 2798937Sdes # groupadd sshd 2899060Sdes # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd 2998937Sdes 3098937Sdes/var/empty should not contain any files. 3198937Sdes 3298937Sdesconfigure supports the following options to change the default 3398937Sdesprivsep user and chroot directory: 3498937Sdes 3598937Sdes --with-privsep-path=xxx Path for privilege separation chroot 3698937Sdes --with-privsep-user=user Specify non-privileged user for privilege separation 3798937Sdes 3899060SdesPrivsep requires operating system support for file descriptor passing. 3999060SdesCompression will be disabled on systems without a working mmap MAP_ANON. 4098937Sdes 41149749SdesPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 42149749SdesHP-UX (including Trusted Mode), Linux, NetBSD and Solaris. 4398937Sdes 44137015SdesOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication 45137015Sdespart of privsep is supported. Post-authentication privsep is disabled 46137015Sdesautomatically (so you won't see the additional process mentioned below). 47113908Sdes 4898937SdesNote that for a normal interactive login with a shell, enabling privsep 4998937Sdeswill require 1 additional process per login session. 5098937Sdes 5198937SdesGiven the following process listing (from HP-UX): 5298937Sdes 5398937Sdes UID PID PPID C STIME TTY TIME COMMAND 5498937Sdes root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 5598937Sdes root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] 5698937Sdes stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 5798937Sdes stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash 5898937Sdes 5998937Sdesprocess 1005 is the sshd process listening for new connections. 6098937Sdesprocess 6917 is the privileged monitor process, 6919 is the user owned 6198937Sdessshd process and 6921 is the shell process. 6298937Sdes 63149749Sdes$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $ 64