Contributed by pitrh on from the ssh!-refound dept.
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2011/06/22 15:57:01 Modified files: usr.bin/ssh : servconf.c servconf.h sshd.c sshd_config.5 usr.bin/ssh/sshd: Makefile Added files: usr.bin/ssh : sandbox-rlimit.c sandbox-systrace.c sandbox.h Log message: introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
(Comments are closed)
By jirib (jirib) jirib@mailinator.com on
thx
Comments
By Anonymous Coward (anon) on
no.
> can anybody provide an example of this use?
add 'UsePrivilegeSeparation sandbox' to /etc/ssh/sshd_config, then '/etc/rc.d/sshd reload'.
Comments
By jirib (jirib) on
>
> no.
>
> > can anybody provide an example of this use?
>
> add 'UsePrivilegeSeparation sandbox' to /etc/ssh/sshd_config, then '/etc/rc.d/sshd reload'.
so if i understand it correct it is extension of securint unpriv child process as described here, am i right?
http://www.citi.umich.edu/u/provos/ssh/privsep.html
By Corey Clingo (coreyography) clingeaux@gmail.com on
Comments
By Corey Clingo (coreyography) on
http://www.usenix.org/events/woot07/tech/full_papers/watson/watson.pdf
And this proposed solution from Niels Provos (whether it's the best, or easy, I have no idea):
"The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon."
By ralfh (ralfh) on
> about have been resolved, or it it more along the lines of every little
> bit helps?
The race-condition occurs when the syscall wrapper evaluates syscall arguments. In that case, the arguments are first copied into kernel space by the wrapper to do the decision and later again by the syscall itself. There is a time window inbetween where a cooperating process can modify the argument. I don't know whether this issue has been resolved in OpenBSD.
OpenSSH uses systrace to only white-list permitted syscalls, without evaluating syscall arguments, so that should be safe.
By Janne Johansson (jj) jj@stacken.kth.se on http://www.inet6.se
google groups openssh-dev maillist archive