* Olaf Kirch wrote on Tue, Jun 25, 2002 at 18:10 +0200:
Setting PrivilegeSeparation to on causes large portions of the daemon to run in a so-called "chroot jail", i.e. in a very restricted environment. An attacker breaking this part of the SSH daemon will
Seems that it does not work for me. I upgraded as described, but didn't found a chrooted or setuid=sshd process after restarting sshd. I really wonder why noone other has this problem? Did you checked that ssh runs in chroot as sshd correctly? Or did you just upgraded without verification? I think both hosts I upgraded so far are still exploitable! Detailed description: Host #1: VERSION = 7.0 openssh-3.3p1-6 -rwxr-xr-x 1 root root 754084 Jun 25 13:08 /usr/sbin/sshd SSH|root@host:~ # grep Sepa /etc/ssh/sshd_config UsePrivilegeSeparation yes SSH|root@host:~ # ps axu|grep ssh root 8275 1.2 1.3 1968 892 ? S 11:23 0:03 /usr/sbin/sshd-old -p 1243 root 8399 0.8 1.4 2052 976 ? S 11:24 0:01 /usr/sbin/sshd root 8464 6.9 2.3 2632 1556 ? S 11:27 0:01 /usr/sbin/sshd-old -p 1234 SSH|root@host:~ # grep Uid /proc/8399/status Uid: 0 0 0 0 SSH|root@host:~ # lsof|grep sshd|grep cwd sshd-old 8275 root cwd DIR 3,2 409 2 / sshd 8399 root cwd DIR 3,2 409 2 / SSH|root@host:~ # file /var/empty/ /var/lib/sshd/ /var/empty/: directory /var/lib/sshd/: directory SSH|root@host:~ # id sshd uid=71(sshd) gid=65(sshd) groups=65(sshd) and RPM replaced the binary really: -rwxr-xr-x 1 root root 308920 Jun 25 12:52 /usr/sbin/sshd user and dirs are there, but no chroot. I guess this update does not help anything. Host #2 SuSE Linux eMail Server (i386) VERSION = 7.2 openssh-3.3p1-6.i386.rpm: md5 gpg OK rpm -q openssh --> openssh-3.3p1-6 uid=71(sshd) gid=65(sshd) groups=65(sshd) # lsof |grep sshd|grep cwd sshd 23998 root cwd DIR 3,2 417 2 / sshd 24034 root cwd DIR 3,2 417 2 / sshd-old 24170 root cwd DIR 3,2 417 2 / no chroot either. Any ideas?? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.