On 01/10/12 11:12, Bennett Haselton wrote:
What about sshd -- assuming that the attacker can connect to sshd at all
(i.e. not prevented by a firewall), if they find an exploit to let them
take control of sshd, would that imply immediate total control of the
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an
unprivileged child process to deal with incoming network traffic. After
successful authentication, another process will be created that has the
privilege of the authenticated user. The goal of privilege separation
is to prevent privilege escalation by containing any corruption within
the unprivileged processes. The default is ``yes''. If
UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication
unprivileged process is subject to additional restrictions.
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
also selinux is everywhere this days... (default mechanism for
"defense-in-depth")
HTH,
Adrian
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
