Re: "UsePrivilegeSeparation no" is useful for running sshd without privileges

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 8 Feb 2022 at 06:16, Spencer Baugh <sbaugh@xxxxxxxxxx> wrote:
> "UsePrivilegeSeparation no" causes sshd to not use setuid when starting
> up.  This is useful for running sshd without any privileges in the first
> place.  That is, running sshd as an unprivileged user, rather than as
> root.

"UsePrivilegeSeparation yes" (or just omitting it) works as an
unprivileged user.  All of our regression tests can (and do) run that
way.  At one point it required that the privsep user and directory
exist, although it didn't use them, but that was fixed nearly five
years ago[0].

> I suggest that UsePrivilegeSeparation should be explicitly supported for
> running sshd as non-root.

No, supporting UsePrivilegeSeparation=no, that means there will still
be two different code paths.    Running sshd as non-root is supported
with UsePrivilegeSeparation=yes.

[0] https://marc.info/?l=openssh-unix-dev&m=150206569108938&w=2

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux