1323ec5712
Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
67 lines
2.2 KiB
C
67 lines
2.2 KiB
C
/*
|
|
* Copyright (c) 2016 Darren Tucker. All rights reserved.
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_PROCCTL_H
|
|
#include <sys/procctl.h>
|
|
#endif
|
|
#if defined(HAVE_SYS_PRCTL_H)
|
|
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
|
#endif
|
|
#ifdef HAVE_SYS_PTRACE_H
|
|
#include <sys/ptrace.h>
|
|
#endif
|
|
#ifdef HAVE_PRIV_H
|
|
#include <priv.h> /* For setpflags() and __PROC_PROTECT */
|
|
#endif
|
|
#include <stdarg.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "log.h"
|
|
|
|
void
|
|
platform_disable_tracing(int strict)
|
|
{
|
|
#if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
|
|
/* On FreeBSD, we should make this process untraceable */
|
|
int disable_trace = PROC_TRACE_CTL_DISABLE;
|
|
|
|
if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
|
|
fatal("unable to make the process untraceable: %s",
|
|
strerror(errno));
|
|
#endif
|
|
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
|
/* Disable ptrace on Linux without sgid bit */
|
|
if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict)
|
|
fatal("unable to make the process undumpable: %s",
|
|
strerror(errno));
|
|
#endif
|
|
#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
|
|
/* On Solaris, we should make this process untraceable */
|
|
if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
|
|
fatal("unable to make the process untraceable: %s",
|
|
strerror(errno));
|
|
#endif
|
|
#ifdef PT_DENY_ATTACH
|
|
/* Mac OS X */
|
|
if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict)
|
|
fatal("unable to set PT_DENY_ATTACH: %s", strerror(errno));
|
|
#endif
|
|
}
|