Andrew Sackville-West wrote: > This is only a guess, so hopefully someone who knows will chime in. It > sounds like typical forking behavior to me.
ssh's privilege separation is somewhat atypical. From sshd_config(5):
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating
an unprivileged child process to deal with incoming network
traffic. After successful authentication, another process
will be created that has the privilege of the authenticated
user. The goal of privilege separation is to prevent
privilege escalation by containing any corruption within
the unprivileged processes. The default is “yes”.
The process tree looks like this:
root 1554 0.0 0.0 5456 692 ? Ss Nov19 0:00 /usr/sbin/sshd
root 29117 0.5 0.2 8516 2944 ? Ss 18:42 0:00 \_ sshd: joey
[priv]
joey 29122 0.0 0.1 8648 1920 ? S 18:42 0:00 \_ sshd:
j...@pts/3
joey 29123 0.8 0.2 6984 2556 pts/3 Ss 18:42 0:00 \_
-zsh
In order, the processes are:
* The parent process, listening for new connections and forking children.
* The privileged monitor process, that is never exposed directly to the
network, and handles requests on behalf of the next process.
* The unprivileged process that talks to the network and runs the shell.
The original question was why the second process runs as root.
As far as I can tell, the monitor needs root to:
a. Use PAM to authenticate the user in the first place.
b. Update the utmp file and do other cleanup at the end, including removing
write permission to the tty device that was used during the session.
--
see shy jo
signature.asc
Description: Digital signature
