diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-03-14 07:19:07 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-03-15 11:09:18 +1100 |
| commit | 66705948c0639a7061a0d0753266da7685badfec (patch) | |
| tree | 147e7ac3dd0730796fcc39c345d8ff7bbf9a13e2 | |
| parent | f86586b03fe6cd8f595289bde200a94bc2c191af (diff) | |
upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
| -rw-r--r-- | servconf.c | 12 | ||||
| -rw-r--r-- | sshd_config | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 26 |
3 files changed, 5 insertions, 36 deletions
@@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.305 2017/03/10 04:11:00 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -535,7 +535,7 @@ static struct { { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, - { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, + { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "permittty", sPermitTTY, SSHCFG_ALL }, @@ -1374,11 +1374,6 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->disable_forwarding; goto parse_flag; - case sUsePrivilegeSeparation: - intptr = &use_privsep; - multistate_ptr = multistate_privsep; - goto parse_multistate; - case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) @@ -2107,8 +2102,6 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_gatewayports); case sCompression: return fmt_multistate_int(val, multistate_compression); - case sUsePrivilegeSeparation: - return fmt_multistate_int(val, multistate_privsep); case sAllowTcpForwarding: return fmt_multistate_int(val, multistate_tcpfwd); case sAllowStreamLocalForwarding: @@ -2284,7 +2277,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); - dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); /* string arguments */ diff --git a/sshd_config b/sshd_config index 9f09e4a6..4eb2e02e 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -93,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 diff --git a/sshd_config.5 b/sshd_config.5 index 454e46e0..ac6ccc79 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $ -.Dd $Mdocdate: February 3 2017 $ +.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $ +.Dd $Mdocdate: March 14 2017 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1494,28 +1494,6 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . -.It Cm UsePrivilegeSeparation -Specifies whether -.Xr sshd 8 -separates privileges by creating an unprivileged child process -to deal with incoming network traffic. -After successful authentication, another process will be created that has -the privilege of the authenticated user. -The goal of privilege separation is to prevent privilege -escalation by containing any corruption within the unprivileged processes. -The argument must be -.Cm yes , -.Cm no , -or -.Cm sandbox . -If -.Cm UsePrivilegeSeparation -is set to -.Cm sandbox -then the pre-authentication unprivileged process is subject to additional -restrictions. -The default is -.Cm sandbox . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. |