diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-03-14 07:19:07 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-03-15 11:09:18 +1100 |
commit | 66705948c0639a7061a0d0753266da7685badfec (patch) | |
tree | 147e7ac3dd0730796fcc39c345d8ff7bbf9a13e2 | |
parent | f86586b03fe6cd8f595289bde200a94bc2c191af (diff) |
upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
-rw-r--r-- | servconf.c | 12 | ||||
-rw-r--r-- | sshd_config | 3 | ||||
-rw-r--r-- | sshd_config.5 | 26 |
3 files changed, 5 insertions, 36 deletions
diff --git a/servconf.c b/servconf.c index 725886e8c..56b831652 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.305 2017/03/10 04:11:00 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -535,7 +535,7 @@ static struct { | |||
535 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, | 535 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, |
536 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, | 536 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, |
537 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 537 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
538 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 538 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, |
539 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 539 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
540 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 540 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
541 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 541 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
@@ -1374,11 +1374,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1374 | intptr = &options->disable_forwarding; | 1374 | intptr = &options->disable_forwarding; |
1375 | goto parse_flag; | 1375 | goto parse_flag; |
1376 | 1376 | ||
1377 | case sUsePrivilegeSeparation: | ||
1378 | intptr = &use_privsep; | ||
1379 | multistate_ptr = multistate_privsep; | ||
1380 | goto parse_multistate; | ||
1381 | |||
1382 | case sAllowUsers: | 1377 | case sAllowUsers: |
1383 | while ((arg = strdelim(&cp)) && *arg != '\0') { | 1378 | while ((arg = strdelim(&cp)) && *arg != '\0') { |
1384 | if (options->num_allow_users >= MAX_ALLOW_USERS) | 1379 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
@@ -2107,8 +2102,6 @@ fmt_intarg(ServerOpCodes code, int val) | |||
2107 | return fmt_multistate_int(val, multistate_gatewayports); | 2102 | return fmt_multistate_int(val, multistate_gatewayports); |
2108 | case sCompression: | 2103 | case sCompression: |
2109 | return fmt_multistate_int(val, multistate_compression); | 2104 | return fmt_multistate_int(val, multistate_compression); |
2110 | case sUsePrivilegeSeparation: | ||
2111 | return fmt_multistate_int(val, multistate_privsep); | ||
2112 | case sAllowTcpForwarding: | 2105 | case sAllowTcpForwarding: |
2113 | return fmt_multistate_int(val, multistate_tcpfwd); | 2106 | return fmt_multistate_int(val, multistate_tcpfwd); |
2114 | case sAllowStreamLocalForwarding: | 2107 | case sAllowStreamLocalForwarding: |
@@ -2284,7 +2277,6 @@ dump_config(ServerOptions *o) | |||
2284 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); | 2277 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); |
2285 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2278 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
2286 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | 2279 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
2287 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | ||
2288 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); | 2280 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
2289 | 2281 | ||
2290 | /* string arguments */ | 2282 | /* string arguments */ |
diff --git a/sshd_config b/sshd_config index 9f09e4a6e..4eb2e02e0 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | 1 | # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -93,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
93 | #PrintLastLog yes | 93 | #PrintLastLog yes |
94 | #TCPKeepAlive yes | 94 | #TCPKeepAlive yes |
95 | #UseLogin no | 95 | #UseLogin no |
96 | #UsePrivilegeSeparation sandbox | ||
97 | #PermitUserEnvironment no | 96 | #PermitUserEnvironment no |
98 | #Compression delayed | 97 | #Compression delayed |
99 | #ClientAliveInterval 0 | 98 | #ClientAliveInterval 0 |
diff --git a/sshd_config.5 b/sshd_config.5 index 454e46e0b..ac6ccc793 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $ |
37 | .Dd $Mdocdate: February 3 2017 $ | 37 | .Dd $Mdocdate: March 14 2017 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1494,28 +1494,6 @@ is enabled, you will not be able to run | |||
1494 | as a non-root user. | 1494 | as a non-root user. |
1495 | The default is | 1495 | The default is |
1496 | .Cm no . | 1496 | .Cm no . |
1497 | .It Cm UsePrivilegeSeparation | ||
1498 | Specifies whether | ||
1499 | .Xr sshd 8 | ||
1500 | separates privileges by creating an unprivileged child process | ||
1501 | to deal with incoming network traffic. | ||
1502 | After successful authentication, another process will be created that has | ||
1503 | the privilege of the authenticated user. | ||
1504 | The goal of privilege separation is to prevent privilege | ||
1505 | escalation by containing any corruption within the unprivileged processes. | ||
1506 | The argument must be | ||
1507 | .Cm yes , | ||
1508 | .Cm no , | ||
1509 | or | ||
1510 | .Cm sandbox . | ||
1511 | If | ||
1512 | .Cm UsePrivilegeSeparation | ||
1513 | is set to | ||
1514 | .Cm sandbox | ||
1515 | then the pre-authentication unprivileged process is subject to additional | ||
1516 | restrictions. | ||
1517 | The default is | ||
1518 | .Cm sandbox . | ||
1519 | .It Cm VersionAddendum | 1497 | .It Cm VersionAddendum |
1520 | Optionally specifies additional text to append to the SSH protocol banner | 1498 | Optionally specifies additional text to append to the SSH protocol banner |
1521 | sent by the server upon connection. | 1499 | sent by the server upon connection. |