|
| Â Â |
| Â | Privilege Separated OpenSSH |
 | | In order to get privilege separation after the authentication, the operating system needs to support file descriptor passing. | | | The interface to the shared memory is very well abstracted and should be easy to re-implement on operating systems that do not support anonymous memory maps. | | | This is achieved by changing its uid/gid to an unused user and restricting its file system access via chroot() to /var/empty. |
|
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
|
| Â Â |
| Â | Viruslist.com - Privilege Separation Makes Software Code More Secure |
| | Viruslist.com - Privilege Separation Makes Software Code More Secure | | | The methodology and design of privilege separation, a generic approach that lets parts of an application run without special privileges. | | | Programming errors occurring in these now unprivileged parts of the application can no longer be abused to gain unauthorized privileges. |
|
http://www.viruslist.com/?tnews=1006&id=51603
|
|
| Â Â |
| Â | BSD Newsletter: OpenSSH fixes security hole |
| | OpenSSH 3.4 fixes input validation errors that can result in an integer overflow and privilege escalation. | | | This wouldn't stop the problem, but would make the system less vulnerable due to chrooted environment and unprivileged user. | | | When the exploit was first announced, the actual problem was not defined and the actual fix was not provided. |
|
http://www.bsdnewsletter.com/2002/06/News8.html
|
|
| Â Â |
| Â | AusCERT - ESB-2002.313 -- Debian Security Advisory DSA-134-4 -- OpenSSH Remote Challenge Vulnerability |
| | Some notes on possible issues associated with this upgrade: * This package introduce a new account called `sshd' that is used in the privilege separation code. | | | In addition to the vulnerabilities fixes outlined above, our OpenSSH packages version 3.3 and higher support the new privilege separation feature from Niels Provos, which changes ssh to use a separate non-privileged process to handle most of the work. | | | Users who upgraded to the OpenSSH version 3.3 packages released in previous iterations of DSA-134 should upgrade to the new version 3.4 OpenSSH packages, as the version 3.3 packages are vulnerable. |
|
http://www.auscert.org.au/render.html?it=2165&cid=1
|
|
| Â Â |
| Â | Putting a bandage on the OpenSSH flaw |
| | Ultimately the best solution is to upgrade to 3.4. | | | The major difference is that you will need to add a user and group called "sshd," and that for every SSH login there will be two sshd processes, one running as root and the other as the user currently logged in. | | | Many vendors started issuing OpenSSH 3.3 packages at the beginning of the week, thus saving administrators the problems inherent in downloading the source code and attempting to properly build and configure OpenSSH on their own, and then creating packages from it -- to say nothing of quality assurance or regression testing. |
|
http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci839071,00.html
|
|
| Â Â |
| Â | [No title] |
| | USER ADMINISTRATION The purpose of user administration is to make sure that the information in the computer system about a user is correct and that access privileges are authorized and up-to-date. | | | Access privileges of the prior position should be promptly removed. | | | Once a position has been broadly defined, management must determine the type of computer access needed for the position. |
|
http://csrc.nist.gov/publications/nistbul/csl93-10.txt
|
|
| Â Â |
| Â | Encyclopedia4U - Secure computing - Encyclopedia Article |
| | The other regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways. | | | Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers. | | | Within computer systems, the two fundamental means of enforcing privilege separation are access control lists (ACLs) and capabilities. |
|
http://www.encyclopedia4u.com/s/secure-computing.html
|
|
| Â Â |
| Â | NSEC / Network Security Corp. / News & Alerts |
| | Complex networks can benefit by separating data channels and control channels, such as BGP, into different logical or physical networks. | | | In this fashion, the effectiveness of many intruder scanning techniques can be dramatically reduced. | | | Exploitation of this vulnerability could result in privilege escalation. |
|
http://www.nsec.net/alerts_details.html?id=13
|
|
| Â Â |
| Â | Privilege Separation |
| | You need to create the group and user to ssh work with privilege separation: | | | By : Joel Cesar Zamboni ( Wed May 26 07:14:19 2004) |
|
http://www.unixguide.net/comments/sun/ssh_installation.shtml/49.shtml
|
|
| Â Â |
| Â | Re: Privilege separation revisited by Mike P. Mikhailov |
| | JP> Is it possible to run all mod_perl things as a separate user (without JP> having to keep two parallel apache installations)? | | | JP> The question is, what is the state-of-the-art approach for protecting data JP> written to a file by mod_perl from being overwritten by an untrusted user? | | | I just want JP> to see if a solution has come up since then. |
|
http://mathforum.org/epigone/modperl/perltryrrang/3618701381.20030731162113@sibtel.ru
|
|
| Â Â |
| Â | 'Privilege'Line is overdrawn claim on shaky ground |
| | However, when the privilege depends solely on the broad, undifferentiated claim of public interest in the confidentiality of such conversations, a confrontation with other values arises. | | | In designing the structure of our Government and dividing and allocating the sovereign power among three co-equal branches, the Framers of the Constitution sought to provide a comprehensive system, but the separate powers were not intended to operate with absolute independence. |
|
http://www.freerepublic.com/forum/a150416.htm
|
|
| Â Â |
| Â | OpenSSH Challenge-Response Buffer Overflow Vulnerability on Xatrix Security |
| | If this is not possible, administrators should upgrade to version 3.3 and enable the privilege separation feature. | | | Note: It has been reported that hackers may be developing, or have functional exploit code. | | | The OpenSSH development team has stated that OpenSSH 3.3 servers configured to use the new privilege separation feature are not exploitable. |
|
http://www.xatrix.org/print1652.html
|
|
| Â Â |
| Â | Re: Privilege separation revisited |
| | The question is, what is the state-of-the-art approach for protecting data written to a file by mod_perl from being overwritten by an untrusted user? | | | Is it possible to run all mod_perl things as a separate user (without having to keep two parallel apache installations)? | | | You don't need, parallel installations, just parallel instances. |
|
http://www.mail-archive.com/modperl@apache.org/msg35417.html
|
|
| Â Â |
| Â | Separation of Powers Bibliography © 2003 |
| | Cooper, Samuel W. “Notes: Considering Power in Separation of Powers.” Stanford Law Review 46 (1994): 361. | | | of Thought and the Separation of Powers, a Modern Problem Considered in the Context of Montesquieu. | | | Segal, Jeffery A. “Separation of Powers Games in the Positive Theory of Congress and Courts.” American Political Science Review 91 (1997): 28. |
|
http://www.separationofpowers.net/bibliography/bibliography.shtml
|
|
| Â Â |
| Â | Re: [tcpdump-workers] OpenBSD work on Tcpdump privilege separation |
| | I guess it >>depends on whether pcap_set_datalink, pcap_snapshot (this one might >>be dangerous with root!) or pcap_lookupnet requires root privileges. | | | The attached > patch moves dropping privileges a bit earlier. | | | Now looking at the code, maybe the privilege separation >>could be done even slightly earlier in the "pcap_open_live" branch, >>e.g., after pcap_open_live, but I haven't tested this. |
|
http://www.tcpdump.org/lists/workers/2004/02/msg00047.html
|
|
| Â Â |
| Â | Network Associates Inc. -- McAfee® Research |
| | The Privman library simplifies the otherwise complex task of separating the application, protecting the system from compromise if an error in the application logic is found. | | | Privman is a library that makes it easy for programs to use privilege separation, a technique that prevents the leak or misuse of privilege from applications that must run with some elevated permissions. | | | When the application is compromised, the attacker gains only the privileges of an unprivileged user and the specific privileges granted to the application by the application's Privman configuration file. |
|
http://opensource.nailabs.com/privman
|
|
| Â Â |
| Â | comp.security.ssh: Re: Privilege separation user "sshd" does not exist |
| | In reply to: Luicas: "Privilege separation user "sshd" does not exist" | | | Next message: Michael Bur am Orde: "configure: error: PAM headers not found" | | | comp.security.ssh: Re: Privilege separation user "sshd" does not exist |
|
http://www.der-keiler.de/Newsgroups/comp.security.ssh/2002-06/0472.html
|
|
| Â Â |
| Â | Security Alert: Vulnerability in OpenSSH on All Operating Systems |
| | v3.3 contains enhancements to privilege separation, including better integration with Linux and Solaris authentication systems (although there are still support issues on platforms other than OpenBSD and NetBSD). | | | Enabling privilege separation splits the SSH daemon into two parts, a minimal control application that runs with root privileges, and a separate application that runs within a non-privileged environment. | | | Test the impact of this change on a non-production server before implementing on production systems. |
|
http://www.counterpane.com/alert-openssh.html
|
|
| Â Â |
| Â | CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling |
| | System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. | | | Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. | | | A remote attacker can execute code with the privileges of the user running the sshd (often root). |
|
http://www.cert.org/advisories/CA-2002-18.html
|
|
| Â Â |
| Â | [Bugdev] Privman: privilege separation library |
| | Just to let you know that guys from NAI Labs made available a very interesting project: privman. | | | It's library that should make privilege separation easy: http://opensource.nailabs.com/privman/ Source code under BSD license is available. |
|
http://www.avet.com.pl/pipermail/bugdev/2002-October/000824.html
|
|
| Â Â |
| Â | OpenSSH - "Privilege separation user sshd does not exist" |
| | -- conf file ------------- UsePrivilegeSeparation yes # HostKey for protocol version 1 HostKey /usr/local/ssh3/etc/ssh_host_key # HostKeys for protocol version 2 HostKey /usr/local/ssh3/etc/ssh_host_rsa_key HostKey /usr/local/ssh3/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 -- conf file ------------- appshost2:/usr/local/ssh3# sbin/sshd Privilege separation user sshd does not exist ty, louie... | | | OpenSSH - "Privilege separation user sshd does not exist" | | | Subject : OpenSSH - "Privilege separation user sshd does not exist" |
|
http://www.linuxarkivet.se/mlists/debian-user/0206/msg04513.html
|
|
| Â Â |
| Â | Matt Swift - upgrading openssh 3.8.1p1-1 -> 3.9p1-1 breaks privilege separation |
| | Either turning off privilege separation in /etc/sshd_config or downgrading and rebooting resolves the problem. | | | I've verified on two machines running XP Pro with up-to-date Cygwin installations that upgrading from openssh 3.8.1p1-1 to openssh 3.9p1-1 breaks sshd when running with privilege separation (the default). | | | I have no further insight into this problem; I mainly want just to report it. |
|
http://www.cygwin.com/ml/cygwin/2004-08/msg00625.html
|
|
| Â Â |
| Â | Create the privilege separation user and the chroot jail |
| | If you don't understand the consequences of making a mistake with the | | | Create the privilege separation user and the chroot jail | | | useradd -c"sshd privilege separation" \ > -d/var/empty \ > -g27 \ > -s/usr/local/bin/nosh sshd |
|
http://brassbounder.plus.com/sshsolaris/sshd.html
|
|
| Â Â |
| Â | Kunkel v. Walton |
| | In every one, there is a theoretical or practical recognition of this maxim, and at the same time a blending and admixture of different powers. | | | As the previous paragraph makes clear, waiver of the statutory physician-patient privilege simply means that communications that could not be disclosed absent the filing of a lawsuit placing the plaintiff's medical condition at issue are treated like any other information that may be discoverable (and possibly admissible) under applicable rules. | | | Section 2-1003 merely sets forth the procedural framework necessary to implement the General Assembly's public policy determination to permit earlier and broader discovery by modifying the statutory exception to the physician-patient privilege relating to the placing of the plaintiff's medical condition at issue by the filing of suit. |
|
http://www.icjl.org/data2/kunkel.htm
|
|
| Â Â |
| Â | Stefan Troeger - sshd and privilege separation |
| | When trying to start sshd afterwards with 'cygrunsrv -S sshd', I get the following error message: cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062: Der Dienst wurde nicht gestartet. | | | /var/log/sshd.log shows: Privilege separation user sshd does not exist The user exists and is in /etc/passwd. | | | Hi, I'm trying to set up sshd (openssh 3.4p1-4) with privilege separation on Windows 2000 Professional. |
|
http://sources.redhat.com/ml/cygwin/2002-07/msg00669.html
|
|
| Â Â |
| Â | [No title] |
| | Prior to the release of this advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to version 3.3. | | | Affected Versions: OpenBSD 3.0 OpenBSD 3.1 FreeBSD-Current OpenSSH 3.0-3.2.3 OpenSSH version 3.3 implements "privilege separation" which mitigates the risk of a superuser compromise. | | | Privilege separation was implemented in FreeBSD-Current on June 23, 2002. |
|
http://www.openssh.com/txt/iss.adv
|
|
| Â Â |
| Â | MDKSA-2002:040-openssh on Xatrix Security |
| | Unfortunately, there are some known problems with this release; compression does not work on all operating systems and the PAM support has not been completed. | | | The priv separation code is significantly improved in version 3.3 of OpenSSH which was released on June 21st. | | | According to the OpenSSH team, this remote vulnerability cannot be exploited when sshd is running with privilege separation. |
|
http://www.xatrix.org/print1649.html
|
|
| Â Â |
| Â | OpenBSD - Wikipedia, the free encyclopedia |
| | Privilege separation, privilege revocation, and randomized loading of libraries also play an ever increasing role in the security of the system. | | | A static bounds checker was added to the toolchain, which attempts to find common programming mistakes at compile time. | | | W^X (pronounced: "w x-or x") is a fine-grained memory management scheme ensuring that memory is either writable, or executable, but never both, providing yet another layer of protection against buffer overflows. |
|
http://en.wikipedia.org/wiki/OpenBSD
|
|
| Â Â |
| Â | SecuriTeam.com ™ (Upcoming OpenSSH Vulnerability (Privileges Separation)) |
| | A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privileges. | | | Depending on what your system is, privilege separation may break some SSH functionality. | | | The basic idea behind privilege separation is that OpenSSH sshd(8) has something like 27000 lines of code. |
|
http://www.securiteam.com/securitynews/5HP0L1F7FA.html
|
|
| Â Â |
| Â | Principle of Least Privilege |
| | Through the use of RBAC, enforced minimum privileges for general system users can be easily achieved. | | | Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. | | | Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. |
|
http://hissa.nist.gov/rbac/paper/node5.html
|
|
| Â Â |
| Â | [No title] |
| | Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. | | | Compression will be disabled on systems without a working mmap MAP_ANON. | | | On systems which lack mmap or anonymous (MAP_ANON) memory mapping, compression must be disabled in order for privilege separation to function. |
|
http://www.sunfreeware.com/README.privsep
|
|
| Â Â |
| Â | Executive privilege and the abuse of power |
| | The costs and benefits of executive privilege need to be toted up in this unhealthy political environment. | | | Because of the power imbalance, executive privilege has far greater costs than benefits. | | | Considering executive privilege alone is inadequate, because it is embedded in the larger context of the balance of power between these two branches of government. |
|
http://foi.missouri.edu/execprivilege/executiveprivilege.html
|
|
| Â Â |
| Â | Microsoft Security Bulletin (MS00-020) |
| | The vulnerability could allow a malicious user to gain additional privileges on a machine that he could log onto at the keyboard. | | | In the Windows 2000 security model, a hierarchy of container objects is used to separate processes. | | | Microsoft Knowledge Base (KB) article 260197, Interactive Logon may Allow Desktop Process Privilege Elevation |
|
http://www.microsoft.com/technet/security/bulletin/ms00-020.asp
|
|
| Â Â |
| Â | HNS - EnGarde Secure Linux Advisory - openssh introduce privilege separation into sshd |
| | He also noted that versions of sshd with a new feature called "privilege separation" were immune to the attack (which he gave no details on). | | | For more information on privilege separation, please see: http://www.citi.umich.edu/u/provos/ssh/privsep.html The full text of Theo's announcement may be found at: http://www.linuxsecurity.com/articles/cryptography_article-5185.html SOLUTION - -------- Users of the EnGarde Professional edition can use the Guardian Digital Secure Network to update their systems automatically. | | | EnGarde Community users should upgrade to the most recent version as outlined in this advisory. |
|
http://www.net-security.org/advisory.php?id=802
|
|
| Â Â |
| Â | Separation of Powers Under the United States Constitution |
| | As James Madison argued in the Federalist Papers (No. 51), "Ambition must be made to counteract ambition." Clearly, our system of separated powers is not designed to maximize efficiency; it is designed to maximize freedom. | | | James Madison, in his original draft of what would become the Bill of Rights, included a proposed amendment that would make the separation of powers explicit, but his proposal was rejected, largely because his fellow members of Congress thought the separation of powers principle to be implicit in the structure of government under the Constitution. | | | Rehnquist noted that the creation of the independent counsel position did not represent an attempt by any branch to increase its own powers at the expense of another branch, and that the executive branch maintained "meaningful" controls over the counsel's exercise of his or her authority. |
|
http://www.law.umkc.edu/faculty/projects/ftrials/conlaw/separationofpowers.htm
|
|
| Â Â |
| Â | My curriculum vitae |
| | Privilege Separated OpenSSH - use privilege separation to contain unknown programming errors in a completely unprivileged process. | | | Honeyd - a small daemon for creating virtual honeypots. | | | " Preventing Privilege Escalation ", USENIX Security Symposium, Washington, DC, August 2003. |
|
http://www.citi.umich.edu/u/provos/cv.html
|
|
| Â Â |
| Â | KarKomaOnline - Privilege separation in Portage (from gentoo.org) |
| | One nice feature of Portage is that it can drop privileges and compile as a less privileged user. | | | Portage is now set up to drop root privileges and build packages under the portage user account. | | | After the ownership has been set properly, you need to enable the features for privilege separate in /etc/make.conf. |
|
http://www.karkomaonline.com/article.php?story=20030706193136469
|
|
| Â Â |
| Â | Bush Administration Asserts Executive Privilege |
| | I also understand that you believe it would be inconsistent with the constitutional doctrine of separation of powers and the Department's law enforcement responsibilities to release these documents to the Committee or to make them available for review by Committee representatives. | | | I also request that the Department remain willing to work informally with the Committee to provide such information as it can, consistent with these instructions and without violating the constitutional doctrine of separation of powers. | | | It is my decision that you should not release these documents or otherwise make them available to the Committee. |
|
http://www.fas.org/sgp/bush/121201_execpriv.html
|
|
| Â Â |
| Â | Law Offices Of Robert Berke - Articles |
| | Privileges are legislative creations, and changes to them also must come directly from the Legislature, Pertel said. | | | Evidence Code Section 970 states that "a married person has a privilege not to testify against his spouse in any proceeding." The intent of the marital privilege is to protect marriages from the disruption that testimony could create, according to the code. | | | If this writ had been denied, it could have had ramifications for other privileges, such as attorney-client and doctor-patient, Pertel said. |
|
http://www.lorb.com/articles-09.htm
|
|
| Â Â |
| Â | HSC - Presentations - How to design secure network applications based on privilege separation |
| | HSC - Presentations - How to design secure network applications based on privilege separation | | | How to design secure network applications based on privilege separation | | | What are the basic security functionalities under Unix needed to build privilege separation and how to use them to design more secure applications |
|
http://www.hsc-labs.com/ressources/presentations/privsep/index.html.en
|
|
| Â Â |
| Â | SOLARSPEED.NET - News |
| | As additional downside Sun did not enable privilege separation in the SSHd configuration. | | | Privilege separation (if enabled) considerably limits the exploitability of OpenSSH when a vulnerability is found and actively exploited. | | | It would sure have been beneficial to have privilege separation enabled as it is the case with the PKGmaster.com OpenSSH and our own free OpenSSH PKG. |
|
http://www.solarspeed.net/news/783.php
|
|
| Â Â |
| Â | APPLICABILITY TO EXECUTIVE PRIVILEGE TO DELIBERATIONS REGARDING ASSERTION OF PRIVILEGE |
| | Based on our review of these documents, we conclude that they are clearly protected by executive privilege and may properly be the subject of an executive privilege claim. | | | We believe that the deliberative process concerning the President's assertion of his constitutional privilege is at the heart of the interests protected by the privilege -- not only because of the heightened confidentiality interests regarding such deliberations, but also because of the severe separation of powers concerns raised by a congressional intrusion on that process. | | | Nixon, 418 U.S. President and those who assist him must be free to explore alternatives in the process of shaping policies and making decisions and to do so in a way many would be unwilling to express except privately." Id. |
|
http://www.usdoj.gov/olc/hatchep2.htm
|
|
| Â Â |
| Â | Legislator's Immunity - Separation of Powers necessary for preservation of Democracy |
| | Legislatures may not of course acquire power by an unwarranted extension of privilege. | | | In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. | | | I see no reason why any officer of government should be higher than the Constitution from which all rights and privileges of an office obtain. |
|
http://www.fa-ir.org/ai/case_tenney.htm
|
|
| Â Â |
| Â | "Executive privilege", "Separation of powers", and the imperial presidency |
| | As Atrios points out, there are multiple problems with this explanation, not the least of which is that the 9/11 commission is not specifically a creature of the Congress -- it was created as an independent body with key members named by the president himself. | | | Executive privilege, in fact, deals only in situations in which presidential advisers are compelled to testify before Congress. | | | The traditional understanding of executive privilege is that it extends only to congressional inquiries. |
|
http://discuss.agonist.org/yabbse/index.php?board=1;action=display;threadid=18163
|
|
| Â Â |
| Â | Privilege separation user |
| | I was happy to read about the "privilege separation user". | | | Root privileges are required for some operations at login time (eg reading the password file) or at some time later (eg allocating a pty), so the the monitor hangs around as long as you're logged in. | | | So, I added this to my config file: UsePrivilegeSeparation yes And the sshd user + group were created. |
|
http://www.webservertalk.com/message56592.html
|
|
| Â Â |
| Â | POP service privilege separation? |
| | You can find more uncensored usenet newsgroup resources at Newsgroups, Newsfeeds, Binaries, and a binaries search engine at Bincrawler | | | I am not very familiar with POP service (from RH8.0 IMAP2001a), so I can't separate pop-users privileges from system users. | | | I am useing RH8.0 Linux with sendmail and imap package installed. |
|
http://www.usenet.com/newsgroups/comp.os.linux.security/msg01139.html
|
|
|
