Priviledge seperation example - OpenSSH


OpenSSH started in 1999.  In 2002, priviledge seperation was added.

Operates largely in chroot space as different processes

One process is the pre-auth checker - 2011 sandboxing support, using
systrace based in OpenBSD.  Only system calls permitted are

    clock_gettime(2) close(2) getentropy(2) getpid(2)
    gettimeofday(2) madvise(2) mmap(2) mprotect(2) mquery(2)
    munmap(2) open(2) poll(2) read(2) select(2) sendsyslog(2)
    shutdown(2) sigprocmask(2) write(2)

(takes 150 lines of nasty complicated code)

Exceed those rules, process gets killed.

Now uses pledge "stdio"