Thomas Lussnig thomas.lussnig at
Tue Jun 25 08:57:56 PDT 2002

> Setting PrivilegeSeparation to on causes large portions of the daemon
> to run in a so-called "chroot jail", i.e. in a very restricted environment.
> An attacker breaking this part of the SSH daemon will *not* obtain full
> root privilege (as he would if sshd runs without this option), but
> will find himself in an empty directory, inside a process running as
> a non privileged user (he can still do some harm this way, but it's
> a far cry from full root powers, of course). 
> ---------------

> Again, this looks like the OpenSSH team are being as paranoid as possible and
> this Privilege Seperation is to protect against the potential outcome of a
> potential remote exploit of the SSHd.
Yeah but im not so sure if the "root-jail" is as safe as many people 
think. Because if i look at grsecurity if could be much strciter.

1. You can create new device (mknod)
2. You can mount
3. You can change the user.

And if i missed nothing in the Changelog of openssh the do not
use "acl" that mean you CAN not only on freebsd restrict what an user 
can do. That mean you can harm the "default" system even in an chroot.

This is the code is use to patch ssh against such attacks.

#include <sys/capability.h>
#include <linux/capability.h>
void Set_Cap(unsigned int caps) {
         cap_user_header_t       capability_header;
         cap_user_data_t         capability_user ;
         capability_user  =malloc(sizeof(*capability_user  ));
         capability_header->version       =_LINUX_CAPABILITY_VERSION;
         capability_header->pid           =0;
         capability_user->effective  &= (caps);
         capability_user->permitted  &= (caps);


Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list