* New upstream release (http://www.openssh.org/txt/release-5.9).

  - Introduce sandboxing of the pre-auth privsep child using an optional
    sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
    mandatory restrictions on the syscalls the privsep child can perform.
  - Add new SHA256-based HMAC transport integrity modes from
    http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
  - The pre-authentication sshd(8) privilege separation slave process now
    logs via a socket shared with the master process, avoiding the need to
    maintain /dev/log inside the chroot (closes: #75043, #429243,
    #599240).
  - ssh(1) now warns when a server refuses X11 forwarding (closes:
    #504757).
  - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
    separated by whitespace (closes: #76312).  The authorized_keys2
    fallback is deprecated but documented (closes: #560156).
  - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
    ToS/DSCP (closes: #498297).
  - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
    - < /path/to/key" (closes: #229124).
  - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
  - Say "required" rather than "recommended" in unprotected-private-key
    warning (LP: #663455).

1 files changed, 33 insertions, 11 deletions

diff --git a/sshd.c b/sshd.c
index 67a2f9d6b..9b32cb458 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.381 2011/01/11 06:13:10 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -118,6 +118,7 @@
 #endif
 #include "monitor_wrap.h"
 #include "roaming.h"
+#include "ssh-sandbox.h"
 #include "version.h"
 
 #ifdef USE_SECURITY_SESSION_API
@@ -629,42 +630,62 @@ privsep_preauth(Authctxt *authctxt)
 {
         int status;
         pid_t pid;
+        struct ssh_sandbox *box = NULL;
 
         /* Set up unprivileged child process to deal with network data */
         pmonitor = monitor_init();
         /* Store a pointer to the kex for later rekeying */
         pmonitor->m_pkex = &xxx_kex;
 
+        if (use_privsep == PRIVSEP_SANDBOX)
+                box = ssh_sandbox_init();
         pid = fork();
         if (pid == -1) {
                 fatal("fork of unprivileged child failed");
         } else if (pid != 0) {
                 debug2("Network child is on pid %ld", (long)pid);
 
-                close(pmonitor->m_recvfd);
+                if (box != NULL)
+                        ssh_sandbox_parent_preauth(box, pid);
                 pmonitor->m_pid = pid;
                 monitor_child_preauth(authctxt, pmonitor);
-                close(pmonitor->m_sendfd);
 
                 /* Sync memory */
                 monitor_sync(pmonitor);
 
                 /* Wait for the child's exit status */
-                while (waitpid(pid, &status, 0) < 0)
+                while (waitpid(pid, &status, 0) < 0) {
                         if (errno != EINTR)
-                                break;
-                return (1);
+                                fatal("%s: waitpid: %s", __func__,
+                                    strerror(errno));
+                }
+                if (WIFEXITED(status)) {
+                        if (WEXITSTATUS(status) != 0)
+                                fatal("%s: preauth child exited with status %d",
+                                    __func__, WEXITSTATUS(status));
+                } else if (WIFSIGNALED(status))
+                        fatal("%s: preauth child terminated by signal %d",
+                            __func__, WTERMSIG(status));
+                if (box != NULL)
+                        ssh_sandbox_parent_finish(box);
+                return 1;
         } else {
                 /* child */
-
                 close(pmonitor->m_sendfd);
+                close(pmonitor->m_log_recvfd);
+
+                /* Arrange for logging to be sent to the monitor */
+                set_log_handler(mm_log_handler, pmonitor);
 
                 /* Demote the child */
                 if (getuid() == 0 || geteuid() == 0)
                         privsep_preauth_child();
                 setproctitle("%s", "[net]");
+                if (box != NULL)
+                        ssh_sandbox_child(box);
+
+                return 0;
         }
-        return (0);
 }
 
 static void
@@ -690,7 +711,6 @@ privsep_postauth(Authctxt *authctxt)
                 fatal("fork of unprivileged child failed");
         else if (pmonitor->m_pid != 0) {
                 verbose("User child is on pid %ld", (long)pmonitor->m_pid);
-                close(pmonitor->m_recvfd);
                 buffer_clear(&loginmsg);
                 monitor_child_postauth(pmonitor);
 
@@ -698,7 +718,10 @@ privsep_postauth(Authctxt *authctxt)
                 exit(0);
         }
 
+        /* child */
+
         close(pmonitor->m_sendfd);
+        pmonitor->m_sendfd = -1;
 
         /* Demote the private keys to public keys. */
         demote_sensitive_data();
@@ -1120,7 +1143,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                             (int) received_sigterm);
                         close_listen_socks();
                         unlink(options.pid_file);
-                        exit(255);
+                        exit(received_sigterm == SIGTERM ? 0 : 255);
                 }
                 if (key_used && key_do_regen) {
                         generate_ephemeral_server_key();
@@ -1311,7 +1334,6 @@ main(int ac, char **av)
         (void)set_auth_parameters(ac, av);
 #endif
         __progname = ssh_get_progname(av[0]);
-        init_rng();
 
         /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
         saved_argc = ac;