diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-03-14 07:19:07 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-03-15 11:09:18 +1100 |
| commit | 66705948c0639a7061a0d0753266da7685badfec (patch) | |
| tree | 147e7ac3dd0730796fcc39c345d8ff7bbf9a13e2 | |
| parent | f86586b03fe6cd8f595289bde200a94bc2c191af (diff) | |
upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
| -rw-r--r-- | servconf.c | 12 | ||||
| -rw-r--r-- | sshd_config | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 26 |
3 files changed, 5 insertions, 36 deletions
diff --git a/servconf.c b/servconf.c index 725886e8c..56b831652 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.305 2017/03/10 04:11:00 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -535,7 +535,7 @@ static struct { | |||
| 535 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, | 535 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, |
| 536 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, | 536 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, |
| 537 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 537 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
| 538 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 538 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, |
| 539 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 539 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
| 540 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 540 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
| 541 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 541 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
| @@ -1374,11 +1374,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1374 | intptr = &options->disable_forwarding; | 1374 | intptr = &options->disable_forwarding; |
| 1375 | goto parse_flag; | 1375 | goto parse_flag; |
| 1376 | 1376 | ||
| 1377 | case sUsePrivilegeSeparation: | ||
| 1378 | intptr = &use_privsep; | ||
| 1379 | multistate_ptr = multistate_privsep; | ||
| 1380 | goto parse_multistate; | ||
| 1381 | |||
| 1382 | case sAllowUsers: | 1377 | case sAllowUsers: |
| 1383 | while ((arg = strdelim(&cp)) && *arg != '\0') { | 1378 | while ((arg = strdelim(&cp)) && *arg != '\0') { |
| 1384 | if (options->num_allow_users >= MAX_ALLOW_USERS) | 1379 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
| @@ -2107,8 +2102,6 @@ fmt_intarg(ServerOpCodes code, int val) | |||
| 2107 | return fmt_multistate_int(val, multistate_gatewayports); | 2102 | return fmt_multistate_int(val, multistate_gatewayports); |
| 2108 | case sCompression: | 2103 | case sCompression: |
| 2109 | return fmt_multistate_int(val, multistate_compression); | 2104 | return fmt_multistate_int(val, multistate_compression); |
| 2110 | case sUsePrivilegeSeparation: | ||
| 2111 | return fmt_multistate_int(val, multistate_privsep); | ||
| 2112 | case sAllowTcpForwarding: | 2105 | case sAllowTcpForwarding: |
| 2113 | return fmt_multistate_int(val, multistate_tcpfwd); | 2106 | return fmt_multistate_int(val, multistate_tcpfwd); |
| 2114 | case sAllowStreamLocalForwarding: | 2107 | case sAllowStreamLocalForwarding: |
| @@ -2284,7 +2277,6 @@ dump_config(ServerOptions *o) | |||
| 2284 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); | 2277 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); |
| 2285 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2278 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
| 2286 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | 2279 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
| 2287 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | ||
| 2288 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); | 2280 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
| 2289 | 2281 | ||
| 2290 | /* string arguments */ | 2282 | /* string arguments */ |
diff --git a/sshd_config b/sshd_config index 9f09e4a6e..4eb2e02e0 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | 1 | # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ |
| 2 | 2 | ||
| 3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
| 4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
| @@ -93,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 93 | #PrintLastLog yes | 93 | #PrintLastLog yes |
| 94 | #TCPKeepAlive yes | 94 | #TCPKeepAlive yes |
| 95 | #UseLogin no | 95 | #UseLogin no |
| 96 | #UsePrivilegeSeparation sandbox | ||
| 97 | #PermitUserEnvironment no | 96 | #PermitUserEnvironment no |
| 98 | #Compression delayed | 97 | #Compression delayed |
| 99 | #ClientAliveInterval 0 | 98 | #ClientAliveInterval 0 |
diff --git a/sshd_config.5 b/sshd_config.5 index 454e46e0b..ac6ccc793 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $ |
| 37 | .Dd $Mdocdate: February 3 2017 $ | 37 | .Dd $Mdocdate: March 14 2017 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -1494,28 +1494,6 @@ is enabled, you will not be able to run | |||
| 1494 | as a non-root user. | 1494 | as a non-root user. |
| 1495 | The default is | 1495 | The default is |
| 1496 | .Cm no . | 1496 | .Cm no . |
| 1497 | .It Cm UsePrivilegeSeparation | ||
| 1498 | Specifies whether | ||
| 1499 | .Xr sshd 8 | ||
| 1500 | separates privileges by creating an unprivileged child process | ||
| 1501 | to deal with incoming network traffic. | ||
| 1502 | After successful authentication, another process will be created that has | ||
| 1503 | the privilege of the authenticated user. | ||
| 1504 | The goal of privilege separation is to prevent privilege | ||
| 1505 | escalation by containing any corruption within the unprivileged processes. | ||
| 1506 | The argument must be | ||
| 1507 | .Cm yes , | ||
| 1508 | .Cm no , | ||
| 1509 | or | ||
| 1510 | .Cm sandbox . | ||
| 1511 | If | ||
| 1512 | .Cm UsePrivilegeSeparation | ||
| 1513 | is set to | ||
| 1514 | .Cm sandbox | ||
| 1515 | then the pre-authentication unprivileged process is subject to additional | ||
| 1516 | restrictions. | ||
| 1517 | The default is | ||
| 1518 | .Cm sandbox . | ||
| 1519 | .It Cm VersionAddendum | 1497 | .It Cm VersionAddendum |
| 1520 | Optionally specifies additional text to append to the SSH protocol banner | 1498 | Optionally specifies additional text to append to the SSH protocol banner |
| 1521 | sent by the server upon connection. | 1499 | sent by the server upon connection. |