sandbox pre-auth privsep child
Alex Bligh
alex at alex.org.uk
Thu Jun 23 01:21:20 EST 2011
--On 22 June 2011 22:53:05 +1000 Damien Miller <djm at mindrot.org> wrote:
> The idea here is to heavily restrict what the network-face pre-auth
> process can do. This was the original intent behind dropping to a
> dedicated uid and chrooting to an empty directory, but even this still
> allows a compromised slave process to make new network connections and
> try to exploit local kernel attack surface
Perhaps not ready for primetime, but at least on Linux have you looked at
CLONE_NEWNET etc.? This generates a child with (essentially) an unconfigured
network stack; the other CLONE_XXX flags may be useful too.
--
Alex Bligh
More information about the openssh-unix-dev
mailing list