OpenBSD Journal

Systrace Sandboxed OpenSSH

Contributed by pitrh on from the ssh!-refound dept.

A little while back, Ray Lai wrote in about a very interesting commit by Damen Miller (djm@). With this, OpenSSH's privilege separation is further tightened:
CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2011/06/22 15:57:01

Modified files:
	usr.bin/ssh    : servconf.c servconf.h sshd.c sshd_config.5 
	usr.bin/ssh/sshd: Makefile 
Added files:
	usr.bin/ssh    : sandbox-rlimit.c sandbox-systrace.c sandbox.h 

Log message:
introduce sandboxing of the pre-auth privsep child using systrace(4).

This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.

The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.

UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.

feedback dtucker@; ok markus@

(Comments are closed)


Comments
  1. By jirib (jirib) jirib@mailinator.com on

    do i still need any to define any policy file? can anybody provide an example of this use?

    thx

    Comments
    1. By Anonymous Coward (anon) on

      > do i still need any to define any policy file?

      no.

      > can anybody provide an example of this use?

      add 'UsePrivilegeSeparation sandbox' to /etc/ssh/sshd_config, then '/etc/rc.d/sshd reload'.

      Comments
      1. By jirib (jirib) on

        > > do i still need any to define any policy file?
        >
        > no.
        >
        > > can anybody provide an example of this use?
        >
        > add 'UsePrivilegeSeparation sandbox' to /etc/ssh/sshd_config, then '/etc/rc.d/sshd reload'.

        so if i understand it correct it is extension of securint unpriv child process as described here, am i right?

        http://www.citi.umich.edu/u/provos/ssh/privsep.html

  2. By Corey Clingo (coreyography) clingeaux@gmail.com on

    Does this mean that the systrace kernel-race issues I recall reading about have been resolved, or it it more along the lines of every little bit helps?

    Comments
    1. By Corey Clingo (coreyography) on

      OK, decided to go refresh my ailing memory. I guess specifically I'm referring to this paper. My apologies if I implied that OpenBSD was at fault in my previous message:

      http://www.usenix.org/events/woot07/tech/full_papers/watson/watson.pdf

      And this proposed solution from Niels Provos (whether it's the best, or easy, I have no idea):

      "The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon."

    2. By ralfh (ralfh) on

      > Does this mean that the systrace kernel-race issues I recall reading
      > about have been resolved, or it it more along the lines of every little
      > bit helps?

      The race-condition occurs when the syscall wrapper evaluates syscall arguments. In that case, the arguments are first copied into kernel space by the wrapper to do the decision and later again by the syscall itself. There is a time window inbetween where a cooperating process can modify the argument. I don't know whether this issue has been resolved in OpenBSD.

      OpenSSH uses systrace to only white-list permitted syscalls, without evaluating syscall arguments, so that should be safe.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]