[Dailydave] PrivSep

[Sebastian Krahmer]

On Tue, 19 Jun 2007, Darren Spruell wrote:

hi,

> 
> Interesting, but is there ever an assumption that these sessions are
> "secured" from the superuser in Unix in the first place?
No, of course not. It is not an exploit.

> 
> - root has direct access to memory to retrieve session keying material
> - root can read the shadow password file
> - root can trojan/patch sshd to collect credentials and session data
> - root can read/write the pty
But it is a difference (in the workload) to peek and rebuild keys
on a system wich has ASLR and on a daemon which zeroes out
temporary key storage for security reasons but which passes
the login tokens for free. If strace is installed you
could use that at the end. Locally, the keying material is
not really important.

Honestly, if someone owns your PrivSep'ed sshd remotely; with all the
kernel exploits once in a while; will this really protect you?
It rather adds a complexity which leads to comments such as
'Fix a bug in the sshd privilege separation monitor that weakened its 
verification of successful authentication. ...' in the ChangeLog.

thx,
Sebastian

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)