sandbox pre-auth privsep child
Scott Neugroschl
scott_n at xypro.com
Thu Jun 23 01:20:06 EST 2011
> On Wed, 22 Jun 2011, Damien Miller wrote:
>
> > Hi,
> >
> > This patch (relative to -HEAD) defines an API to allow sandboxing of
> the
> > pre-auth privsep child and a couple of sandbox implementations.
>
> If you want to verify that the sandbox is actually working, you might
> want to try this little hack.
>
> Needless to say, don't bother doing this will the null sandbox :)
>
> --- sshd.c.orig 2011-06-22 23:05:21.000000000 +1000
> +++ sshd.c 2011-06-22 23:05:28.000000000 +1000
> @@ -676,8 +676,14 @@
> if (getuid() == 0 || geteuid() == 0)
> privsep_preauth_child();
> setproctitle("%s", "[net]");
> - if (box != NULL)
> + if (box != NULL) {
> ssh_sandbox_child(box);
> + if (fork() != -1)
> + fatal("fork() succeeded despite
sandbox");
> + if (socket(AF_INET, SOCK_STREAM, 0) != -1)
> + fatal("fork() succeeded despite
sandbox");
> + debug("sandbox seems to be working");
> + }
>
> return 0;
> }
The message in the second fatal() call should probably read
"socket() succeeded..." instead of "fork() succeeded..."
More information about the openssh-unix-dev
mailing list