Attachment #2828 for bug #2584




	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
	platform.o platform-pledge.o

SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
	sshconnect.o sshconnect1.o sshconnect2.o mux.o

SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
	audit.o audit-bsm.o audit-linux.o \
	sshpty.o sshlogin.o servconf.o serverloop.o \
	auth.o auth1.o auth2.o auth-options.o session.o \
	auth-chall.o auth2-chall.o groupaccess.o \

Lines 898-903 mips-sony-bsd\|mips-sony-newsos4) Link Here

(-)a/configure.ac (+1 lines)
898	else	898	else
899	AC_MSG_RESULT([no])	899	AC_MSG_RESULT([no])
900	fi	900	fi
		901	AC_CHECK_FUNCS([setpflags])
901	AC_CHECK_FUNCS([setppriv])	902	AC_CHECK_FUNCS([setppriv])
902	AC_CHECK_FUNCS([priv_basicset])	903	AC_CHECK_FUNCS([priv_basicset])
903	AC_CHECK_HEADERS([priv.h])	904	AC_CHECK_HEADERS([priv.h])

Lines 19-24 Link Here

(-)a/platform.c (+23 lines)
19	#include "includes.h"	19	#include "includes.h"
20		20
21	#include <sys/types.h>	21	#include <sys/types.h>
		22	#if defined(HAVE_SYS_PRCTL_H)
		23	#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
		24	#endif
		25	#ifdef HAVE_PRIV_H
		26	#include <priv.h> /* For setpflags() and __PROC_PROTECT */
		27	#endif
22		28
23	#include <stdarg.h>	29	#include <stdarg.h>
24	#include <unistd.h>	30	#include <unistd.h>
Lines 217-219 platform_sys_dir_uid(uid_t uid) Link Here
217	#endif	223	#endif
218	return 0;	224	return 0;
219	}	225	}
		226
		227	void
		228	platform_disable_tracing(int strict)
		229	{
		230	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
		231	/* Disable ptrace on Linux without sgid bit */
		232	if (prctl(PR_SET_DUMPABLE, 0) != 0)
		233	if (strict)
		234	fatal("unable to make the process undumpable");
		235	#endif
		236	#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
		237	/* On Solaris, we should make this process untraceable */
		238	if (setpflags(__PROC_PROTECT, 1) != 0)
		239	if (strict)
		240	fatal("unable to make the process untraceable");
		241	#endif
		242	}

Lines 31-36 void platform_setusercontext_post_groups(struct passwd *); Link Here

(-)a/platform.h (+1 lines)
31	char platform_get_krb5_client(const char );	31	char platform_get_krb5_client(const char );
32	char platform_krb5_get_principal_name(const char );	32	char platform_krb5_get_principal_name(const char );
33	int platform_sys_dir_uid(uid_t);	33	int platform_sys_dir_uid(uid_t);
		34	void platform_disable_tracing(int);
34		35
35	/* in platform-pledge.c */	36	/* in platform-pledge.c */
36	void platform_pledge_agent(void);	37	void platform_pledge_agent(void);




#ifdef HAVE_SYS_STATVFS_H
#include <sys/statvfs.h>
#endif
#ifdef HAVE_SYS_PRCTL_H
#include <sys/prctl.h>
#endif

#include <dirent.h>
#include <errno.h>


	log_init(__progname, log_level, log_facility, log_stderr);

#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
	/*
	 * On platforms where we can, avoid making /proc/self/{mem,maps}
	 * available to the user so that sftp access doesn't automatically
	 * imply arbitrary code execution access that will break
	 * restricted configurations.
	 */
	platform_disable_tracing(1);	/* strict */
		fatal("unable to make the process undumpable");
#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */

	/* Drop any fine-grained privileges we don't need */
	platform_pledge_sftp_server();




#include "ssh-pkcs11.h"
#endif

#if defined(HAVE_SYS_PRCTL_H)
#include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
#endif

typedef enum {
	AUTH_UNUSED,
	AUTH_SOCKET,

	setegid(getgid());
	setgid(getgid());

	platform_disable_tracing(0);	/* strict=no */
	/* Disable ptrace on Linux without sgid bit */
	prctl(PR_SET_DUMPABLE, 0);
#endif

#ifdef WITH_OPENSSL
	OpenSSL_add_all_algorithms();

Return to bug 2584

Lines 88-97 Link Here

(-)a/ssh-agent.c (-8 / +1 lines)
88	#include "ssh-pkcs11.h"	88	#include "ssh-pkcs11.h"
89	#endif	89	#endif
90		90
91	#if defined(HAVE_SYS_PRCTL_H)
92	#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
93	#endif
94
95	typedef enum {	91	typedef enum {
96	AUTH_UNUSED,	92	AUTH_UNUSED,
97	AUTH_SOCKET,	93	AUTH_SOCKET,
Lines 1209-1218 main(int ac, char **av) Link Here
1209	setegid(getgid());	1205	setegid(getgid());
1210	setgid(getgid());	1206	setgid(getgid());
1211		1207
1212	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)	1208	platform_disable_tracing(0); /* strict=no */
1213	/* Disable ptrace on Linux without sgid bit */
1214	prctl(PR_SET_DUMPABLE, 0);
1215	#endif
1216		1209
1217	#ifdef WITH_OPENSSL	1210	#ifdef WITH_OPENSSL
1218	OpenSSL_add_all_algorithms();	1211	OpenSSL_add_all_algorithms();

Lines 92-104 LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ Link Here

(-)a/Makefile.in (-2 / +2 lines)
92	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \	92	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
93	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \	93	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
94	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \	94	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
95	platform-pledge.o	95	platform.o platform-pledge.o
96		96
97	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \	97	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
98	sshconnect.o sshconnect1.o sshconnect2.o mux.o	98	sshconnect.o sshconnect1.o sshconnect2.o mux.o
99		99
100	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \	100	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
101	audit.o audit-bsm.o audit-linux.o platform.o \	101	audit.o audit-bsm.o audit-linux.o \
102	sshpty.o sshlogin.o servconf.o serverloop.o \	102	sshpty.o sshlogin.o servconf.o serverloop.o \
103	auth.o auth1.o auth2.o auth-options.o session.o \	103	auth.o auth1.o auth2.o auth-options.o session.o \
104	auth-chall.o auth2-chall.o groupaccess.o \	104	auth-chall.o auth2-chall.o groupaccess.o \

Lines 29-37 Link Here

(-)a/sftp-server.c (-8 / +2 lines)
29	#ifdef HAVE_SYS_STATVFS_H	29	#ifdef HAVE_SYS_STATVFS_H
30	#include <sys/statvfs.h>	30	#include <sys/statvfs.h>
31	#endif	31	#endif
32	#ifdef HAVE_SYS_PRCTL_H
33	#include <sys/prctl.h>
34	#endif
35		32
36	#include <dirent.h>	33	#include <dirent.h>
37	#include <errno.h>	34	#include <errno.h>
Lines 1588-1603 sftp_server_main(int argc, char *argv, struct passwd user_pw) Link Here
1588		1585
1589	log_init(__progname, log_level, log_facility, log_stderr);	1586	log_init(__progname, log_level, log_facility, log_stderr);
1590		1587
1591	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
1592	/*	1588	/*
1593	* On Linux, we should try to avoid making /proc/self/{mem,maps}	1589	* On platforms where we can, avoid making /proc/self/{mem,maps}
1594	* available to the user so that sftp access doesn't automatically	1590	* available to the user so that sftp access doesn't automatically
1595	* imply arbitrary code execution access that will break	1591	* imply arbitrary code execution access that will break
1596	* restricted configurations.	1592	* restricted configurations.
1597	*/	1593	*/
1598	if (prctl(PR_SET_DUMPABLE, 0) != 0)	1594	platform_disable_tracing(1); /* strict */
1599	fatal("unable to make the process undumpable");
1600	#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
1601		1595
1602	/* Drop any fine-grained privileges we don't need */	1596	/* Drop any fine-grained privileges we don't need */
1603	platform_pledge_sftp_server();	1597	platform_pledge_sftp_server();