Re: sandox or non-root for single user

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 26 May 2015, Igor Bukanov wrote:

> Hi,
> 
> If I need to provide an ssh access just for a single user and I want
> to minimize a chance of malicious code running as root even if it
> increases a possibility for malicious code running as that user. Given
> that should I try running sshd as that user? Or should I continue to
> use UsePrivilegeSeparation=sandbox with sshd running as root?

It depends which operating system you are on - if you're running
on something with a good platform sandbox (systrace, seatbelt or
seccomp-bpf) then you'll have good protection from that even if
you are running sshd as the target user.

If your platform doesn't have one of the above sandboxed available,
then you should run as root to get the benefit of chroot and dropping
to an unprivileged user.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux