2 files changed, 18 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 4e6b8b2d5..68d8a2a29 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20140401
+ - (djm) On platforms that support it, use prctl() to prevent sftp-server
+   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
 20140317
 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
   remind myself to add sandbox violation logging via the log socket.
diff --git a/sftp-server.c b/sftp-server.c
index b8eb59c36..77834117c 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -29,6 +29,9 @@
 #ifdef HAVE_SYS_STATVFS_H
 #include <sys/statvfs.h>
 #endif
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
 #include <dirent.h>
 #include <errno.h>
@@ -1523,6 +1526,17 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
        log_init(__progname, log_level, log_facility, log_stderr);
+#ifdef HAVE_PRCTL
+        /*
+         * On Linux, we should try to avoid making /proc/self/{mem,maps}
+         * available to the user so that sftp access doesn't automatically
+         * imply arbitrary code execution access that will break
+         * restricted configurations.
+         */
+        if (prctl(PR_SET_DUMPABLE, 0) != 0)
+                fatal("unable to make the process undumpable");
+#endif
        if ((cp = getenv("SSH_CONNECTION")) != NULL) {
                client_addr = xstrdup(cp);
                if ((cp = strchr(client_addr, ' ')) == NULL) {

diff --git a/ChangeLog b/ChangeLog index 4e6b8b2d5..68d8a2a29 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,7 @@
		1	20140401
		2	- (djm) On platforms that support it, use prctl() to prevent sftp-server
		3	from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
		4
1	20140317	5	20140317
2	- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to	6	- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
3	remind myself to add sandbox violation logging via the log socket.	7	remind myself to add sandbox violation logging via the log socket.


diff --git a/sftp-server.c b/sftp-server.c index b8eb59c36..77834117c 100644 --- a/sftp-server.c +++ b/sftp-server.c
@@ -29,6 +29,9 @@
29	#ifdef HAVE_SYS_STATVFS_H	29	#ifdef HAVE_SYS_STATVFS_H
30	#include <sys/statvfs.h>	30	#include <sys/statvfs.h>
31	#endif	31	#endif
		32	#ifdef HAVE_SYS_PRCTL_H
		33	#include <sys/prctl.h>
		34	#endif
32		35
33	#include <dirent.h>	36	#include <dirent.h>
34	#include <errno.h>	37	#include <errno.h>
@@ -1523,6 +1526,17 @@ sftp_server_main(int argc, char *argv, struct passwd user_pw)
1523		1526
1524	log_init(__progname, log_level, log_facility, log_stderr);	1527	log_init(__progname, log_level, log_facility, log_stderr);
1525		1528
		1529	#ifdef HAVE_PRCTL
		1530	/*
		1531	* On Linux, we should try to avoid making /proc/self/{mem,maps}
		1532	* available to the user so that sftp access doesn't automatically
		1533	* imply arbitrary code execution access that will break
		1534	* restricted configurations.
		1535	*/
		1536	if (prctl(PR_SET_DUMPABLE, 0) != 0)
		1537	fatal("unable to make the process undumpable");
		1538	#endif
		1539
1526	if ((cp = getenv("SSH_CONNECTION")) != NULL) {	1540	if ((cp = getenv("SSH_CONNECTION")) != NULL) {
1527	client_addr = xstrdup(cp);	1541	client_addr = xstrdup(cp);
1528	if ((cp = strchr(client_addr, ' ')) == NULL) {	1542	if ((cp = strchr(client_addr, ' ')) == NULL) {