diff options
author | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
commit | 69ff1df952eebf0489b775a60ede094eaf596a05 (patch) | |
tree | 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /sshd_config.5 | |
parent | 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff) |
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 70a53b3a9..f78452c85 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ |
37 | .Dd $Mdocdate: May 23 2011 $ | 37 | .Dd $Mdocdate: June 22 2011 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1071,6 +1071,12 @@ The goal of privilege separation is to prevent privilege | |||
1071 | escalation by containing any corruption within the unprivileged processes. | 1071 | escalation by containing any corruption within the unprivileged processes. |
1072 | The default is | 1072 | The default is |
1073 | .Dq yes . | 1073 | .Dq yes . |
1074 | If | ||
1075 | .Cm UsePrivilegeSeparation | ||
1076 | is set to | ||
1077 | .Dq sandbox | ||
1078 | then the pre-authentication unprivileged process is subject to additional | ||
1079 | restrictions. | ||
1074 | .It Cm X11DisplayOffset | 1080 | .It Cm X11DisplayOffset |
1075 | Specifies the first display number available for | 1081 | Specifies the first display number available for |
1076 | .Xr sshd 8 Ns 's | 1082 | .Xr sshd 8 Ns 's |