FS#31965 - [openssh] defunct sandbox privilege separation

Attached to Project: Arch Linux
Opened by Amos Onn (amos) - Monday, 15 October 2012, 03:19 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 15 October 2012, 12:10 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Since OpenSSH 5.9, the UsePrivilegeSeparation option in /etc/ssh/sshd_config has a new legal value - sandbox. This means that the intermediate process used to create the underprivileged sshd process which will continue the session will also be sandboxed to make sure it does nothing funny. Our default config file, apparently copied from OpenBSD, uses this value. However, for this option to actually do anything new, the openssh suite has to be compiled with the following configure switch:
--with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
which decides which method of sandboxing will be compiled.
Thus, it is best either to add this switch (with a proper value) to the PKGBUILD, or change the UsePrivilegeSeparation back to "yes".

Additional info:
* openssh-6.1p1-2
This task depends upon

Closed by  Gaetan Bisson (vesath)
Monday, 15 October 2012, 12:10 GMT
Reason for closing:  Not a bug
Comment by Gaetan Bisson (vesath) - Monday, 15 October 2012, 04:42 GMT
No need to manually specify "--with-sandbox=style" since from 6.1 on the best option is autodetected by the configure script (that is why I added linux-headers as a make-dependency for openssh).
Comment by Gaetan Bisson (vesath) - Monday, 15 October 2012, 04:43 GMT
Or, did you actually test your claims and established that sandbox privilege separation did not work on your machine?
Comment by Amos Onn (amos) - Monday, 15 October 2012, 10:34 GMT
I read the configure file, but now I found my mistake. Sorry for the interruption!

Loading...