| Summary: | make ssh-agent and sftp-server untraceable on Solaris | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | huieying.lee | ||||||
| Component: | ssh-agent | Assignee: | Darren Tucker <dtucker> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | enhancement | CC: | djm, dtucker | ||||||
| Priority: | P5 | ||||||||
| Version: | 7.2p1 | ||||||||
| Hardware: | SPARC | ||||||||
| OS: | Solaris | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 2543 | ||||||||
| Attachments: |
|
||||||||
I'm ok with doing this however I think the code should be factored out of the mainline code and moved somewhere like platform.c. Created attachment 2828 [details]
Move prtctl into platform.c then add setpflags
Could you please confirm that this works?
Once we're happy with it I'll commit it as 2 parts (the move of existing and the addition of the new).
Thanks.
Comment on attachment 2828 [details]
Move prtctl into platform.c then add setpflags
Thanks - I was going to suggest refactoring it this way :)
Applied, thanks. Please let us know if any further changes are required. https://anongit.mindrot.org/openssh.git/commit/?id=a86ec4d0737ac5879223e7cd9d68c448df46e169 That's all we need for this. Thank you very much for taking this in. Close all resolved bugs after 7.3p1 release |
Created attachment 2827 [details] to make ssh-agent and sftp-server untraceable on Solaris For Linux, to prevent ptrace on ssh-agent and sftp-server, ssh-agent.c and sftp-server.c call prctl(PR_SET_DUMPABLE, 0). For Solaris, the equivalent implementation would be: setpflags(__PROC_PROTECT, 1); Attached is the patch to make ssh-agent and sftp-server untraceable on Solaris without using the sgid bit. We would like to contribute this patch to upstream, so that our code will be more in-sync with upstream version.