Contributed by pitrh on from the ssh!-refound dept.
CVSROOT: /cvs Module name: src Changes by: email@example.com 2011/06/22 15:57:01 Modified files: usr.bin/ssh : servconf.c servconf.h sshd.c sshd_config.5 usr.bin/ssh/sshd: Makefile Added files: usr.bin/ssh : sandbox-rlimit.c sandbox-systrace.c sandbox.h Log message: introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
(Comments are closed)