blob: bf3889265b773fab0bfbd0da7837a84ce3668c1b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
commit fc3c19a9fceeea48a9259ac3833a125804342c0e
Author: Ed Maste <emaste@FreeBSD.org>
Date: Sat Oct 6 21:32:55 2018 +0000
sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
timezone file.
* Reverse resolve hostname before entering capability mode.
PR: 231172
Submitted by: naito.yuichiro@gmail.com
Reviewed by: cem, des
Approved by: re (rgrimes)
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D17128
Notes:
svn path=/head/; revision=339216
diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
index 5f41d526292b..f728abd18250 100644
--- sandbox-capsicum.c
+++ sandbox-capsicum.c
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
struct rlimit rl_zero;
cap_rights_t rights;
+ caph_cache_tzdata();
+
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
|
