- djm@cvs.openbsd.org 2011/06/22 21:57:01

[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
author: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
committer: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
commit: 69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree: 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /sshd_config.5
parent: 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 70a53b3a9..f78452c85 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $
-.Dd $Mdocdate: May 23 2011 $
+.Dd $Mdocdate: June 22 2011 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1071,6 +1071,12 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
+If
+.Cm UsePrivilegeSeparation
+is set to
+.Dq sandbox
+then the pre-authentication unprivileged process is subject to additional
+restrictions.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
author	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
committer	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
commit	69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree	6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /sshd_config.5
parent	82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 70a53b3a9..f78452c85 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $
37	.Dd $Mdocdate: May 23 2011 $	37	.Dd $Mdocdate: June 22 2011 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1071,6 +1071,12 @@ The goal of privilege separation is to prevent privilege
1071	escalation by containing any corruption within the unprivileged processes.	1071	escalation by containing any corruption within the unprivileged processes.
1072	The default is	1072	The default is
1073	.Dq yes .	1073	.Dq yes .
		1074	If
		1075	.Cm UsePrivilegeSeparation
		1076	is set to
		1077	.Dq sandbox
		1078	then the pre-authentication unprivileged process is subject to additional
		1079	restrictions.
1074	.It Cm X11DisplayOffset	1080	.It Cm X11DisplayOffset
1075	Specifies the first display number available for	1081	Specifies the first display number available for
1076	.Xr sshd 8 Ns 's	1082	.Xr sshd 8 Ns 's