sandbox pre-auth privsep child
Damien Miller
djm at mindrot.org
Wed Jun 22 23:06:45 EST 2011
On Wed, 22 Jun 2011, Damien Miller wrote:
> Hi,
>
> This patch (relative to -HEAD) defines an API to allow sandboxing of the
> pre-auth privsep child and a couple of sandbox implementations.
If you want to verify that the sandbox is actually working, you might
want to try this little hack.
Needless to say, don't bother doing this will the null sandbox :)
--- sshd.c.orig 2011-06-22 23:05:21.000000000 +1000
+++ sshd.c 2011-06-22 23:05:28.000000000 +1000
@@ -676,8 +676,14 @@
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
- if (box != NULL)
+ if (box != NULL) {
ssh_sandbox_child(box);
+ if (fork() != -1)
+ fatal("fork() succeeded despite sandbox");
+ if (socket(AF_INET, SOCK_STREAM, 0) != -1)
+ fatal("fork() succeeded despite sandbox");
+ debug("sandbox seems to be working");
+ }
return 0;
}
More information about the openssh-unix-dev
mailing list