1323ec5712
Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
126 lines
3.4 KiB
C
126 lines
3.4 KiB
C
/*
|
|
* Copyright (c) 2011 Dag-Erling Smorgrav
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
__RCSID("$FreeBSD$");
|
|
|
|
#ifdef SANDBOX_CAPSICUM
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <sys/resource.h>
|
|
#include <sys/capsicum.h>
|
|
|
|
#include <errno.h>
|
|
#include <stdarg.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <capsicum_helpers.h>
|
|
|
|
#include "log.h"
|
|
#include "monitor.h"
|
|
#include "ssh-sandbox.h"
|
|
#include "xmalloc.h"
|
|
|
|
/*
|
|
* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
|
|
* limits rights on stdout, stdin, stderr, monitor and switches to
|
|
* capability mode.
|
|
*/
|
|
|
|
struct ssh_sandbox {
|
|
struct monitor *monitor;
|
|
pid_t child_pid;
|
|
};
|
|
|
|
struct ssh_sandbox *
|
|
ssh_sandbox_init(struct monitor *monitor)
|
|
{
|
|
struct ssh_sandbox *box;
|
|
|
|
/*
|
|
* Strictly, we don't need to maintain any state here but we need
|
|
* to return non-NULL to satisfy the API.
|
|
*/
|
|
debug3("%s: preparing capsicum sandbox", __func__);
|
|
box = xcalloc(1, sizeof(*box));
|
|
box->monitor = monitor;
|
|
box->child_pid = 0;
|
|
|
|
return box;
|
|
}
|
|
|
|
void
|
|
ssh_sandbox_child(struct ssh_sandbox *box)
|
|
{
|
|
struct rlimit rl_zero;
|
|
cap_rights_t rights;
|
|
|
|
caph_cache_tzdata();
|
|
|
|
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
|
|
|
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
|
|
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
|
|
__func__, strerror(errno));
|
|
#ifndef SANDBOX_SKIP_RLIMIT_NOFILE
|
|
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
|
|
fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
|
|
__func__, strerror(errno));
|
|
#endif
|
|
if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
|
|
fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
|
|
__func__, strerror(errno));
|
|
|
|
cap_rights_init(&rights);
|
|
|
|
if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
|
|
fatal("can't limit stdin: %m");
|
|
if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
|
|
fatal("can't limit stdout: %m");
|
|
if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
|
|
fatal("can't limit stderr: %m");
|
|
|
|
cap_rights_init(&rights, CAP_READ, CAP_WRITE);
|
|
if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
|
|
errno != ENOSYS)
|
|
fatal("%s: failed to limit the network socket", __func__);
|
|
cap_rights_init(&rights, CAP_WRITE);
|
|
if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
|
|
errno != ENOSYS)
|
|
fatal("%s: failed to limit the logging socket", __func__);
|
|
if (cap_enter() < 0 && errno != ENOSYS)
|
|
fatal("%s: failed to enter capability mode", __func__);
|
|
|
|
}
|
|
|
|
void
|
|
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
|
|
{
|
|
free(box);
|
|
debug3("%s: finished", __func__);
|
|
}
|
|
|
|
void
|
|
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
|
|
{
|
|
box->child_pid = child_pid;
|
|
}
|
|
|
|
#endif /* SANDBOX_CAPSICUM */
|