why sshd is running under root ?

Hi
I dont understand why the deamon for ssh is running under root,
if it crashes it could be secutity problem?
I new that it needs roots to launch listen socket, but why after ?
thanks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RosalieM wrote:

> Hi
> I dont understand why the deamon for ssh is running under root,
> if it crashes it could be secutity problem?
> I new that it needs roots to launch listen socket, but why after ?
> thanks.

I would imagine sshd runs as root in order to properly handle disparate
user logons. sshd is servicing ssh client sessions which may be for any
logon including root. If sshd were prevented from changing
effective/actual userid and effective/actual groupid, then it's spawned
per-logon server processes could not act as the intended logged on user,
but would always act as (have the effective/real uid and gid of) the
sshd daemon user.

Since changing userid and groupid in this manner is an action restricted
to root, then the sshd daemon must retain the root userid.

- --

Lew Pitcher, IT Consultant, Enterprise Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFApQgsagVFX4UWr64RAjtQAJoDPc8PNh678yXRqVbd7I tcpnY8iwCg0eoH
FGVnX3GD7p1cL5JpwzFAlVU=
=uuAm
-----END PGP SIGNATURE-----

On Fri, 14 May 2004 19:24:03 +0200, RosalieM wrote:

> Hi
> I dont understand why the deamon for ssh is running under root, if it
> crashes it could be secutity problem? I new that it needs roots to launch
> listen socket, but why after ? thanks.

It has to set the login credentials and fork off a child running as the
user who is logging in. This needs root privilege.

You can reduce the risk by using privilege separation which is often the
default in sshd configurations shipped with Linux, but this can cause
things to break e.g. if you have overriden the default ulimits. SuSE for
instance have recently changed (in SLES anyway) to turning privilege
separation off by default.

If you do use privilege separation you will still see the daemon running
as root but it is actually giving up its root privileges most of the time.

There is very little real risk as long as you keep sshd up to date. Most
distributors publish security patches in a very timely fashion. Sshd is
designed with security as the paramount factor, it comes from the highly
paranoid OpenBSD stable.

Regards, Ian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Ian Northeast <(E-Mail Removed)> suggested:
> On Fri, 14 May 2004 19:24:03 +0200, RosalieM wrote:

[ sshd running as root ]

> You can reduce the risk by using privilege separation which is often the
> default in sshd configurations shipped with Linux, but this can cause
> things to break e.g. if you have overriden the default ulimits. SuSE for
> instance have recently changed (in SLES anyway) to turning privilege
> separation off by default.

Bad, the last security problems with sshd, perhaps a year ago,
didn't had any impact if privilege separation was turned on.

[..]

> There is very little real risk as long as you keep sshd up to date. Most
> distributors publish security patches in a very timely fashion. Sshd is
> designed with security as the paramount factor, it comes from the highly
> paranoid OpenBSD stable.

Yep, simply run the latest.

$ ssh -V
OpenSSH_3.8.1p1

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFApVo5AkPEju3Se5QRAjHzAJ0Z/onq3qkPREox2j0nr5/CS3j4rACfa0Fv
8EPtqL2r9VE16VLrVfepzgk=
=UbEm
-----END PGP SIGNATURE-----