diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2011-06-22 21:57:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2011-06-22 21:57:02 +0000 |
| commit | 4d1611fb09248442e0b7b5a8f731327bbed1af16 (patch) | |
| tree | fb3b80f4947968df7325c213794e68e1a9fb7d61 /usr.bin/ssh/servconf.h | |
| parent | dba0caec152609e89254d23c36072ef4d714b633 (diff) | |
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'usr.bin/ssh/servconf.h')
| -rw-r--r-- | usr.bin/ssh/servconf.h | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 84cc33c0c6a..d7ca51b44fe 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -36,6 +36,11 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* use_privsep */ +#define PRIVSEP_OFF 0 +#define PRIVSEP_ON 1 +#define PRIVSEP_SANDBOX 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ |