44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
commit fc3c19a9fceeea48a9259ac3833a125804342c0e
|
|
Author: Ed Maste <emaste@FreeBSD.org>
|
|
Date: Sat Oct 6 21:32:55 2018 +0000
|
|
|
|
sshd: address capsicum issues
|
|
|
|
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
|
|
capability mode.
|
|
* Cache timezone data via caph_cache_tzdata() as we cannot access the
|
|
timezone file.
|
|
* Reverse resolve hostname before entering capability mode.
|
|
|
|
PR: 231172
|
|
Submitted by: naito.yuichiro@gmail.com
|
|
Reviewed by: cem, des
|
|
Approved by: re (rgrimes)
|
|
MFC after: 3 weeks
|
|
Differential Revision: https://reviews.freebsd.org/D17128
|
|
|
|
Notes:
|
|
svn path=/head/; revision=339216
|
|
|
|
diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
|
|
index 5f41d526292b..f728abd18250 100644
|
|
--- sandbox-capsicum.c
|
|
+++ sandbox-capsicum.c
|
|
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
+#include <capsicum_helpers.h>
|
|
|
|
#include "log.h"
|
|
#include "monitor.h"
|
|
@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
|
|
struct rlimit rl_zero;
|
|
cap_rights_t rights;
|
|
|
|
+ caph_cache_tzdata();
|
|
+
|
|
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
|
|
|
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
|