> "However, with privileges separation turned on, you are > immune from at least one remote hole." > at least one? Jesus how many are there? any information > would be appreciated.... > -wire " Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack. " reducing root-run code from 27000 to 2500 lines is the important part. who cares how many holes there are when it is in /var/empty/sshd chroot with no possibility of root :) Peter PS - agreed that his choice of wording is "interesting"...
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 20:41:43 PDT