Privilege separated tcpdump(1) ● Otto writes: "tcpdump(1) has a bad reputation; quite some vulnerabilities have been found in it. Since tcpdump is run as root when capturing packets from an interface, the impact of these vulnerabilities can be high. ● To reduce the risk of running tcpdump as root, tcpdump has been modified to become privilege separated. The parsing and printing of the network packets takes now place in an unprivileged, chrooted process. ● The work has been done by Can Erkin Acar and Otto Moerbeek.
Privilege Separated OpenSSH We use an unprivileged child process to contain and restrict the effects of programming errors. A bug in the unprivileged child process does not result in a system compromise. In other words, the goal is complete privilege separation within in OpenSSH. http://www.citi.umich.edu/u/provos/ssh/privsep.html