[Bug 3855] sshd-auth sandbox limitations
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 29 18:51:41 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3855
--- Comment #4 from Adrian Jarc <adrian.jarc at aviatnet.com> ---
(In reply to Damien Miller from comment #2)
> Moving the privsep_child_demote() to after do_authentication2() not
> only disables the sandbox (sshd-auth exits after authentication
> completes), but disables all privilege-reduction that it performs.
> You're much better off just disabling sandboxing at compile time.
>
> Wrt enabling opening /dev/random, unfortunately it's not possible
> using the seccomp sandbox without also allowing open() of any file.
> The problem is that the seccomp bpf filters cannot inspect pointer
> arguments, including file paths. Therefore the only option would be
> to allow all __NR_open syscalls, which would significantly weaken
> the sandbox.
>
> AFAIK all other libcrypto libraries have long since moved to use the
> getrandom(2) syscall which is much easier to allowlist. AFAIK
> BoringSSL's FIPS libcrypto uses getrandom(2).
As far as BoringSSL goes, it is not certified for our processor. And
also we have made some further investigation and found that if we move
privsep_child_demote() after do_ssh2_kex() also works, as the problem
was in kex authentication. Is this any better?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list