| version 1.26, 2016/01/08 13:06:28 |
version 1.27, 2016/01/16 22:10:12 |
|
|
| First implemented by |
First implemented by |
| <a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">Niels Provos</a> |
<a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">Niels Provos</a> |
| and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2. |
and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2. |
| The concept is now used in many programs. |
The concept is now used in many OpenBSD programs, for example |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bgpd.8">bgpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/dhclient.8">dhclient(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/dhcpd.8">dhcpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/dvmrpd.8">dvmrpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/eigrpd.8">eigrpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/file.1">file(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/httpd.8">httpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/iked.8">iked(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ldapd.8">ldapd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ldpd.8">ldpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/mountd.8">mountd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppd.8">npppd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ntpd.8">ntpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ospfd.8">ospfd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ospf6d.8">ospf6d(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/pflogd.8">pflogd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/radiusd.8">radiusd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/relayd.8">relayd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ripd.8">ripd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/script.1">script(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/smtpd.8">smtpd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/syslogd.8">syslogd(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8">tcpdump(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/tmux.1">tmux(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/xconsole.1">xconsole(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/xdm.1">xdm(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/Xserver.1">Xserver(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ypldap.8">ypldap(8)</a>, |
| |
etc. |
| |
<li>Privilege revocation: |
| |
Related to the work on privilege separation, some programs were refactored |
| |
to drop privileges while holding onto a tricky resource such as a raw socket, |
| |
reserved port, or modification-locked bpf(4) descriptor, |
| |
for example |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ping.8">ping(8)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/traceroute.8">traceroute(8)</a>, |
| |
etc. |
| <li>Stack protector: Developed since 2001 as "propolice" by Hiroaki Etoh. |
<li>Stack protector: Developed since 2001 as "propolice" by Hiroaki Etoh. |
| Integrated, and implemented for additional hardware platforms, |
Integrated, and implemented for additional hardware platforms, |
| by Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating |
by Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating |
![[BACK]](/icons/back.gif){kind=icon}
Return to innovations.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www