summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-03-14 07:19:07 +0000
committerDamien Miller <djm@mindrot.org>2017-03-15 11:09:18 +1100
commit66705948c0639a7061a0d0753266da7685badfec (patch)
tree147e7ac3dd0730796fcc39c345d8ff7bbf9a13e2
parentf86586b03fe6cd8f595289bde200a94bc2c191af (diff)
downloadopenssh-git-66705948c0639a7061a0d0753266da7685badfec.tar.gz
upstream commit
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually). Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
-rw-r--r--servconf.c12
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.526
3 files changed, 5 insertions, 36 deletions
diff --git a/servconf.c b/servconf.c
index 725886e8..56b83165 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.305 2017/03/10 04:11:00 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -535,7 +535,7 @@ static struct {
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
- { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
+ { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "permittty", sPermitTTY, SSHCFG_ALL },
@@ -1374,11 +1374,6 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->disable_forwarding;
goto parse_flag;
- case sUsePrivilegeSeparation:
- intptr = &use_privsep;
- multistate_ptr = multistate_privsep;
- goto parse_multistate;
-
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2107,8 +2102,6 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_gatewayports);
case sCompression:
return fmt_multistate_int(val, multistate_compression);
- case sUsePrivilegeSeparation:
- return fmt_multistate_int(val, multistate_privsep);
case sAllowTcpForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
case sAllowStreamLocalForwarding:
@@ -2284,7 +2277,6 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
- dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
/* string arguments */
diff --git a/sshd_config b/sshd_config
index 9f09e4a6..4eb2e02e 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -93,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
diff --git a/sshd_config.5 b/sshd_config.5
index 454e46e0..ac6ccc79 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $
-.Dd $Mdocdate: February 3 2017 $
+.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $
+.Dd $Mdocdate: March 14 2017 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -1494,28 +1494,6 @@ is enabled, you will not be able to run
as a non-root user.
The default is
.Cm no .
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Xr sshd 8
-separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The argument must be
-.Cm yes ,
-.Cm no ,
-or
-.Cm sandbox .
-If
-.Cm UsePrivilegeSeparation
-is set to
-.Cm sandbox
-then the pre-authentication unprivileged process is subject to additional
-restrictions.
-The default is
-.Cm sandbox .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.