On Sun, 6 Aug 2017, Aleksandar Kostadinov wrote: > Hello, > > there are emerging container services that restrict regular users to > launch containers under some random uid for security reasons. If such > user needs sshd in their container, they need to turn off > `UsePrivilegeSeparation` so that sshd is executed as the current uid > and not `root`. > > I understand that privilege separation [1] is more than changing the > process uid. On the other hand, it is unreasonable to expect > administrators to let regular users execute privileged code of any > sort. If they do so, this would compromise security of all other > users. It's not much of a container if it doesn't contain root-running code IMO. Anyway, running sshd as a non-root user works fine and will continue to work fine. Making privsep mandatory for root-started sshd hasn't changed this. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
