diff options
Diffstat (limited to 'security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata')
-rw-r--r-- | security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata new file mode 100644 index 000000000000..bf3889265b77 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata @@ -0,0 +1,43 @@ +commit fc3c19a9fceeea48a9259ac3833a125804342c0e +Author: Ed Maste <emaste@FreeBSD.org> +Date: Sat Oct 6 21:32:55 2018 +0000 + + sshd: address capsicum issues + + * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in + capability mode. + * Cache timezone data via caph_cache_tzdata() as we cannot access the + timezone file. + * Reverse resolve hostname before entering capability mode. + + PR: 231172 + Submitted by: naito.yuichiro@gmail.com + Reviewed by: cem, des + Approved by: re (rgrimes) + MFC after: 3 weeks + Differential Revision: https://reviews.freebsd.org/D17128 + +Notes: + svn path=/head/; revision=339216 + +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c +index 5f41d526292b..f728abd18250 100644 +--- sandbox-capsicum.c ++++ sandbox-capsicum.c +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#include <capsicum_helpers.h> + + #include "log.h" + #include "monitor.h" +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) + struct rlimit rl_zero; + cap_rights_t rights; + ++ caph_cache_tzdata(); ++ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) |