mirror of
https://github.com/RGBCube/serenity
synced 2025-05-31 11:38:11 +00:00
55 lines
1.6 KiB
Diff
55 lines
1.6 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Patrick Meyer <git@the-space.agency>
|
|
Date: Sat, 30 Apr 2022 10:58:10 +0000
|
|
Subject: [PATCH] Use unveil for privsep
|
|
|
|
---
|
|
sshd.c | 28 +++-------------------------
|
|
1 file changed, 3 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/sshd.c b/sshd.c
|
|
index 0ee65b5..e2f84de 100644
|
|
--- a/sshd.c
|
|
+++ b/sshd.c
|
|
@@ -452,12 +452,9 @@ privsep_preauth_child(void)
|
|
|
|
/* Demote the child */
|
|
if (privsep_chroot) {
|
|
- /* Change our root directory */
|
|
- if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
|
- fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
|
- strerror(errno));
|
|
- if (chdir("/") == -1)
|
|
- fatal("chdir(\"/\"): %s", strerror(errno));
|
|
+ /* Hide the whole filesystem */
|
|
+ if (unveil(NULL, NULL) < 0)
|
|
+ fatal("unveil(NULL, NULL): %s", strerror(errno));
|
|
|
|
/* Drop our privileges */
|
|
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
|
|
@@ -1952,25 +1949,6 @@ main(int ac, char **av)
|
|
sshkey_type(key));
|
|
}
|
|
|
|
- if (privsep_chroot) {
|
|
- struct stat st;
|
|
-
|
|
- if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
|
|
- (S_ISDIR(st.st_mode) == 0))
|
|
- fatal("Missing privilege separation directory: %s",
|
|
- _PATH_PRIVSEP_CHROOT_DIR);
|
|
-
|
|
-#ifdef HAVE_CYGWIN
|
|
- if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
|
|
- (st.st_uid != getuid () ||
|
|
- (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
|
|
-#else
|
|
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
|
|
-#endif
|
|
- fatal("%s must be owned by root and not group or "
|
|
- "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
|
|
- }
|
|
-
|
|
if (test_flag > 1) {
|
|
/*
|
|
* If no connection info was provided by -C then use
|