diff options
| author | Damien Miller <djm@mindrot.org> | 2003-11-21 23:48:55 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-11-21 23:48:55 +1100 |
| commit | a8e06cef35c205e1aa562513c6d034a10c8c9a6d (patch) | |
| tree | cf8bdb4466f553088c020b9179cabd6eaf196075 /README.privsep | |
| parent | 8c5e91c03fdd2693f0635f8b2a9904bffc94ce16 (diff) | |
- djm@cvs.openbsd.org 2003/11/21 11:57:03
[everything]
unexpand and delete whitespace at EOL; ok markus@
(done locally and RCS IDs synced)
Diffstat (limited to 'README.privsep')
| -rw-r--r-- | README.privsep | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/README.privsep b/README.privsep index 64adad83..9d48bbcf 100644 --- a/README.privsep +++ b/README.privsep @@ -1,15 +1,15 @@ Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege -escalation by containing corruption to an unprivileged process. +escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Privilege separation is now enabled by default; see the UsePrivilegeSeparation option in sshd_config(5). -On systems which lack mmap or anonymous (MAP_ANON) memory mapping, -compression must be disabled in order for privilege separation to +On systems which lack mmap or anonymous (MAP_ANON) memory mapping, +compression must be disabled in order for privilege separation to function. When privsep is enabled, during the pre-authentication phase sshd will @@ -38,9 +38,9 @@ privsep user and chroot directory: Privsep requires operating system support for file descriptor passing. Compression will be disabled on systems without a working mmap MAP_ANON. -PAM-enabled OpenSSH is known to function with privsep on Linux. +PAM-enabled OpenSSH is known to function with privsep on Linux. It does not function on HP-UX with a trusted system -configuration. +configuration. On Compaq Tru64 Unix, only the pre-authentication part of privsep is supported. Post-authentication privsep is disabled automatically (so @@ -61,4 +61,4 @@ process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. -$Id: README.privsep,v 1.12 2003/08/26 00:48:15 djm Exp $ +$Id: README.privsep,v 1.13 2003/11/21 12:48:55 djm Exp $ |