[openssh-commits] [openssh] branch master updated (4e15f7fc0 -> 2a9e1aada)

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Mar 10 14:46:08 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from 4e15f7fc0 upstream: Move OpenBSD CVS ID marker to top of file to avoid conflicts
     new 73888af65 stubs for OpenBSD unveil(2)
     new b75bf339e upstream: Stop doing access() before execve(). It is a TOCTOU, but
     new 46eb7dc5a upstream: With it's own daemonization / fd cleaning code, ssh-agent
     new 2a9e1aada upstream: unveil ssh-pkcs11-helper too; fixes breakage spotted by

The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 2a9e1aadaa20a05430bddc30853fbd3449083a4d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Mar 10 03:40:26 2026 +0000

    upstream: unveil ssh-pkcs11-helper too; fixes breakage spotted by
    
    anton@
    
    If SK/P11/askpass is overridden by environment, only unveil the requested
    path and not both the requested one and the default.
    
    feedback/ok deraadt@
    
    OpenBSD-Commit-ID: 84356c6a44f35e66fe73fc1524a7c8e908521eb2

commit 46eb7dc5a6f312f99437ebdcf04f0f2c03aa570b
Author: deraadt at openbsd.org <deraadt at openbsd.org>
Date:   Sat Mar 7 18:35:43 2026 +0000

    upstream: With it's own daemonization / fd cleaning code, ssh-agent
    
    opens /dev/null O_RDWR after a pledge without "wpath".  This is allowed in
    current pledge because "/dev/null" is implicitly allowed to be opened even
    with the most restrictive pledges or unveils.  This is a design decision in
    pledge made at the very beginning, to satisfy libc requirements.  We've
    finally had enough experience and know how to fix that in the near-future,
    but need to review and fix all code which opens these implicit paths. The fix
    is to add "wpath", so that "/dev/null" can be opened O_RDWR. But that is
    uncomfortable, so we add unveil() allowing "/" with "r", 4 unveil "x" for the
    potential askpass and helpers to be execve'd, and "/dev/null" with "wr".  As
    a result filesystem access is substantially more restricted than before, and
    ssh-agent is ready for the future pledge change. ok djm dtucker
    
    OpenBSD-Commit-ID: f223b11d2db3c0b14e53c1de59966dd5f372a977

commit b75bf339eae6115c544bdcefa0d67a6dcc971ec5
Author: deraadt at openbsd.org <deraadt at openbsd.org>
Date:   Sat Mar 7 18:27:52 2026 +0000

    upstream: Stop doing access() before execve(). It is a TOCTOU, but
    
    also it forces use of unveil "rx" instead of "x". This is done by using a
    pipe() through the fork+execve attempt to expose execve failure and create
    the same error return as the access() used to do. ok djm dtucker
    
    OpenBSD-Commit-ID: f9ee96e20352f35dc6f39127e0cc6b804700200a

commit 73888af650f0ce27cd93797f3e351b2d1b670550
Author: Damien Miller <djm at mindrot.org>
Date:   Tue Mar 10 14:43:30 2026 +1100

    stubs for OpenBSD unveil(2)

Summary of changes:
 configure.ac              |  1 +
 openbsd-compat/bsd-misc.c |  8 ++++++++
 openbsd-compat/bsd-misc.h |  4 ++++
 ssh-agent.c               | 20 ++++++++++++++++++--
 ssh-sk-client.c           | 42 +++++++++++++++++++++++++++++++-----------
 5 files changed, 62 insertions(+), 13 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list