From ca449fd93a885ba73123863dd370c65b7eec860a Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 21 Jun 2002 14:45:50 +0000 Subject: [PATCH] - (djm) Update README.privsep; spotted by fries@ --- ChangeLog | 3 +++ README.privsep | 19 +++++++++---------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index fa0d1a8d..61451ce4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20020622 + - (djm) Update README.privsep; spotted by fries@ + 20020621 - (djm) Sync: - djm@cvs.openbsd.org 2002/06/21 05:50:51 diff --git a/README.privsep b/README.privsep index 63c4d4a1..3ce37bf2 100644 --- a/README.privsep +++ b/README.privsep @@ -1,13 +1,12 @@ -Privilege separation, or privsep, is an experimental feature in -OpenSSH in which operations that require root privilege are performed -by a separate privileged monitor process. Its purpose is to prevent -privilege escalation by containing corruption to an unprivileged -process. More information is available at: +Privilege separation, or privsep, is method in OpenSSH by which +operations that require root privilege are performed by a separate +privileged monitor process. Its purpose is to prevent privilege +escalation by containing corruption to an unprivileged process. +More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html -Privilege separation is not enabled by default, and may be enabled by -specifying "UsePrivilegeSeparation yes" in sshd_config; see the -UsePrivilegeSeparation option in sshd(8). +Privilege separation is now enabled by default; see the +UsePrivilegeSeparation option in sshd_config(5). When privsep is enabled, the pre-authentication sshd process will chroot(2) to "/var/empty" and change its privileges to the "sshd" user @@ -34,8 +33,8 @@ privsep user and chroot directory: Privsep requires operating system support for file descriptor passing and mmap(MAP_ANON). -PAM-enabled OpenSSH is known to function with privsep on Linux and -Solaris 8. It does not function on HP-UX with a trusted system +PAM-enabled OpenSSH is known to function with privsep on Linux. +It does not function on HP-UX with a trusted system configuration. PAMAuthenticationViaKbdInt does not function with privsep. -- 2.45.2