[Bug 3855] sshd-auth sandbox limitations
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 29 09:49:46 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3855
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Moving the privsep_child_demote() to after do_authentication2() not
only disables the sandbox (sshd-auth exits after authentication
completes), but disables all privilege-reduction that it performs.
You're much better off just disabling sandboxing at compile time.
Wrt enabling opening /dev/random, unfortunately it's not possible using
the seccomp sandbox without also allowing open() of any file. The
problem is that the seccomp bpf filters cannot inspect pointer
arguments, including file paths. Therefore the only option would be to
allow all __NR_open syscalls, which would significantly weaken the
sandbox.
AFAIK all other libcrypto libraries have long since moved to use the
getrandom(2) syscall which is much easier to allowlist. AFAIK
BoringSSL's FIPS libcrypto uses getrandom(2).
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list