summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2011-06-22 21:57:02 +0000
committerDamien Miller <djm@cvs.openbsd.org>2011-06-22 21:57:02 +0000
commit4d1611fb09248442e0b7b5a8f731327bbed1af16 (patch)
treefb3b80f4947968df7325c213794e68e1a9fb7d61
parentdba0caec152609e89254d23c36072ef4d714b633 (diff)
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
-rw-r--r--usr.bin/ssh/sandbox-rlimit.c86
-rw-r--r--usr.bin/ssh/sandbox-systrace.c181
-rwxr-xr-xusr.bin/ssh/sandbox.h22
-rw-r--r--usr.bin/ssh/servconf.c15
-rw-r--r--usr.bin/ssh/servconf.h7
-rw-r--r--usr.bin/ssh/sshd.c30
-rw-r--r--usr.bin/ssh/sshd/Makefile4
-rw-r--r--usr.bin/ssh/sshd_config.510
8 files changed, 342 insertions, 13 deletions
diff --git a/usr.bin/ssh/sandbox-rlimit.c b/usr.bin/ssh/sandbox-rlimit.c
new file mode 100644
index 00000000000..b0c80e5f031
--- /dev/null
+++ b/usr.bin/ssh/sandbox-rlimit.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "log.h"
+#include "sandbox.h"
+#include "xmalloc.h"
+
+/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */
+
+struct ssh_sandbox {
+ pid_t child_pid;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(void)
+{
+ struct ssh_sandbox *box;
+
+ /*
+ * Strictly, we don't need to maintain any state here but we need
+ * to return non-NULL to satisfy the API.
+ */
+ debug3("%s: preparing rlimit sandbox", __func__);
+ box = xcalloc(1, sizeof(*box));
+ box->child_pid = 0;
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ struct rlimit rl_zero;
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+
+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
+ __func__, strerror(errno));
+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
+ __func__, strerror(errno));
+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
+ __func__, strerror(errno));
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ free(box);
+ debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ box->child_pid = child_pid;
+ /* Nothing to do here */
+}
+
diff --git a/usr.bin/ssh/sandbox-systrace.c b/usr.bin/ssh/sandbox-systrace.c
new file mode 100644
index 00000000000..ecea3ece85a
--- /dev/null
+++ b/usr.bin/ssh/sandbox-systrace.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+
+#include <dev/systrace.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "atomicio.h"
+#include "log.h"
+#include "sandbox.h"
+#include "xmalloc.h"
+
+static const int preauth_policy[] = {
+ SYS___sysctl,
+ SYS_close,
+ SYS_exit,
+ SYS_getpid,
+ SYS_gettimeofday,
+ SYS_madvise,
+ SYS_mmap,
+ SYS_mprotect,
+ SYS_poll,
+ SYS_munmap,
+ SYS_read,
+ SYS_select,
+ SYS_sigprocmask,
+ SYS_write,
+ -1
+};
+
+struct ssh_sandbox {
+ int child_sock;
+ int parent_sock;
+ int systrace_fd;
+ pid_t child_pid;
+ struct systrace_policy policy;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(void)
+{
+ struct ssh_sandbox *box;
+ int s[2];
+
+ debug3("%s: preparing systrace sandbox", __func__);
+ box = xcalloc(1, sizeof(*box));
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
+ fatal("%s: socketpair: %s", __func__, strerror(errno));
+ box->child_sock = s[0];
+ box->parent_sock = s[1];
+ box->systrace_fd = -1;
+ box->child_pid = 0;
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ char whatever = 0;
+
+ close(box->parent_sock);
+ /* Signal parent that we are ready */
+ debug3("%s: ready", __func__);
+ if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
+ fatal("%s: write: %s", __func__, strerror(errno));
+ /* Wait for parent to signal for us to go */
+ if (atomicio(read, box->child_sock, &whatever, 1) != 1)
+ fatal("%s: read: %s", __func__, strerror(errno));
+ debug3("%s: started", __func__);
+ close(box->child_sock);
+}
+
+static void
+ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
+ const int *allowed_syscalls)
+{
+ int dev_systrace, i, j, found;
+ char whatever = 0;
+
+ debug3("%s: wait for child %ld", __func__, (long)child_pid);
+ box->child_pid = child_pid;
+ close(box->child_sock);
+ /* Wait for child to signal that it is ready */
+ if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
+ fatal("%s: read: %s", __func__, strerror(errno));
+ debug3("%s: child %ld ready", __func__, (long)child_pid);
+
+ /* Set up systracing of child */
+ if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
+ fatal("%s: open(\"/dev/systrace\"): %s", __func__,
+ strerror(errno));
+ if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
+ fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
+ dev_systrace, strerror(errno));
+ close(dev_systrace);
+ debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
+ if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
+ fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
+ box->systrace_fd, child_pid, strerror(errno));
+
+ /* Allocate and assign policy */
+ bzero(&box->policy, sizeof(box->policy));
+ box->policy.strp_op = SYSTR_POLICY_NEW;
+ box->policy.strp_maxents = SYS_MAXSYSCALL;
+ if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
+ box->systrace_fd, strerror(errno));
+
+ box->policy.strp_op = SYSTR_POLICY_ASSIGN;
+ box->policy.strp_pid = box->child_pid;
+ if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
+ __func__, box->systrace_fd, strerror(errno));
+
+ /* Set per-syscall policy */
+ for (i = 0; i < SYS_MAXSYSCALL; i++) {
+ for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) {
+ if (allowed_syscalls[j] == i)
+ found = 1;
+ }
+ box->policy.strp_op = SYSTR_POLICY_MODIFY;
+ box->policy.strp_code = i;
+ box->policy.strp_policy = found ?
+ SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL;
+ if (found)
+ debug3("%s: policy: enable syscall %d", __func__, i);
+ if (ioctl(box->systrace_fd, STRIOCPOLICY,
+ &box->policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
+ __func__, box->systrace_fd, strerror(errno));
+ }
+
+ /* Signal the child to start running */
+ debug3("%s: start child %ld", __func__, (long)child_pid);
+ if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
+ fatal("%s: write: %s", __func__, strerror(errno));
+ close(box->parent_sock);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ /* Closing this before the child exits will terminate it */
+ close(box->systrace_fd);
+
+ free(box);
+ debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ ssh_sandbox_parent(box, child_pid, preauth_policy);
+}
diff --git a/usr.bin/ssh/sandbox.h b/usr.bin/ssh/sandbox.h
new file mode 100755
index 00000000000..7593dedea32
--- /dev/null
+++ b/usr.bin/ssh/sandbox.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+struct ssh_sandbox;
+
+struct ssh_sandbox *ssh_sandbox_init(void);
+void ssh_sandbox_child(struct ssh_sandbox *);
+void ssh_sandbox_parent_finish(struct ssh_sandbox *);
+void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index eaa127f86aa..597e2b6e4f7 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.221 2011/06/22 21:47:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -266,7 +266,7 @@ fill_default_server_options(ServerOptions *options)
/* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = 1;
+ use_privsep = PRIVSEP_ON;
}
/* Keyword tokens. */
@@ -662,6 +662,12 @@ static const struct multistate multistate_gatewayports[] = {
{ "no", 0 },
{ NULL, -1 }
};
+static const struct multistate multistate_privsep[] = {
+ { "sandbox", PRIVSEP_SANDBOX },
+ { "yes", PRIVSEP_ON },
+ { "no", PRIVSEP_OFF },
+ { NULL, -1 }
+};
int
process_server_config_line(ServerOptions *options, char *line,
@@ -1021,7 +1027,8 @@ process_server_config_line(ServerOptions *options, char *line,
case sUsePrivilegeSeparation:
intptr = &use_privsep;
- goto parse_flag;
+ multistate_ptr = multistate_privsep;
+ goto parse_multistate;
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
@@ -1529,6 +1536,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_gatewayports);
case sCompression:
return fmt_multistate_int(val, multistate_compression);
+ case sUsePrivilegeSeparation:
+ return fmt_multistate_int(val, multistate_privsep);
case sProtocol:
switch (val) {
case SSH_PROTO_1:
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 84cc33c0c6a..d7ca51b44fe 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -36,6 +36,11 @@
#define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3
+/* use_privsep */
+#define PRIVSEP_OFF 0
+#define PRIVSEP_ON 1
+#define PRIVSEP_SANDBOX 2
+
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 27423765181..4cc6a6f2296 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.383 2011/06/17 21:44:31 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.384 2011/06/22 21:57:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -102,6 +102,7 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
+#include "sandbox.h"
#include "version.h"
#ifdef LIBWRAP
@@ -611,18 +612,23 @@ privsep_preauth(Authctxt *authctxt)
{
int status;
pid_t pid;
+ struct ssh_sandbox *box = NULL;
/* Set up unprivileged child process to deal with network data */
pmonitor = monitor_init();
/* Store a pointer to the kex for later rekeying */
pmonitor->m_pkex = &xxx_kex;
+ if (use_privsep == PRIVSEP_SANDBOX)
+ box = ssh_sandbox_init();
pid = fork();
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
debug2("Network child is on pid %ld", (long)pid);
+ if (box != NULL)
+ ssh_sandbox_parent_preauth(box, pid);
pmonitor->m_pid = pid;
monitor_child_preauth(authctxt, pmonitor);
@@ -630,10 +636,21 @@ privsep_preauth(Authctxt *authctxt)
monitor_sync(pmonitor);
/* Wait for the child's exit status */
- while (waitpid(pid, &status, 0) < 0)
+ while (waitpid(pid, &status, 0) < 0) {
if (errno != EINTR)
- break;
- return (1);
+ fatal("%s: waitpid: %s", __func__,
+ strerror(errno));
+ }
+ if (WIFEXITED(status)) {
+ if (WEXITSTATUS(status) != 0)
+ fatal("%s: preauth child exited with status %d",
+ __func__, WEXITSTATUS(status));
+ } else if (WIFSIGNALED(status))
+ fatal("%s: preauth child terminated by signal %d",
+ __func__, WTERMSIG(status));
+ if (box != NULL)
+ ssh_sandbox_parent_finish(box);
+ return 1;
} else {
/* child */
close(pmonitor->m_sendfd);
@@ -646,8 +663,11 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
+ if (box != NULL)
+ ssh_sandbox_child(box);
+
+ return 0;
}
- return (0);
}
static void
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index a479ec7ca21..15417811a83 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.72 2010/10/13 08:14:22 jsg Exp $
+# $OpenBSD: Makefile,v 1.73 2011/06/22 21:57:01 djm Exp $
.PATH: ${.CURDIR}/..
@@ -16,7 +16,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c
+ roaming_common.c roaming_serv.c sandbox-systrace.c
.include <bsd.own.mk> # for KERBEROS and AFS
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 69de8d4d2b9..a8f46c4d256 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $
-.Dd $Mdocdate: May 23 2011 $
+.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $
+.Dd $Mdocdate: June 22 2011 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -1048,6 +1048,12 @@ The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
+If
+.Cm UsePrivilegeSeparation
+is set to
+.Dq sandbox
+then the pre-authentication unprivileged process is subject to additional
+restrictions.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's