https://bugzilla.mindrot.org/show_bug.cgi?id=2140
--- Comment #3 from Loganaden Velvindron <[email protected]> --- (In reply to Damien Miller from comment #1) > Comment on attachment 2326 [details] > openssh-capsicum > > Looks good - a couple of small things. > > >Index: sandbox-capsicum.c > >=================================================================== > >RCS file: sandbox-capsicum.c > >diff -N sandbox-capsicum.c > >--- /dev/null 1 Jan 1970 00:00:00 -0000 > >+++ sandbox-capsicum.c 7 Aug 2013 19:39:21 -0000 > >@@ -0,0 +1,90 @@ > >+ > > Please add a license block here. > http://www.openbsd.org/cgi-bin/cvsweb/src/share/misc/license. > template?rev=1.3;content-type=text%2Fplain is our preferred one. The diff is based on an older patch for OpenSSH written by des@freebsd. http://people.freebsd.org/~pjd/patches/openssh-capsicum.patch I added his copyright. > > >+/* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, > >+ * limits file descriptors on monitoring object, > >+ * and switches to capability mode > >+*/ > > Minor style nit. The first line of a multiline comment should be > "/*" by itself. Corrected. > The last line's '*' should be aligned to the previous line's (i.e. > add a space at the start of the line). > > >+struct ssh_sandbox { > >+ struct monitor *monitor; > > This isn't used and can be removed. > > >+extern struct monitor *pmonitor; > > This can go too. > > >+ box->monitor = pmonitor; > > and this. > Removed and tested on FreeBSD 10 ALPHA. > > >+ if (cap_rights_limit(box->monitor->m_recvfd, CAP_READ | CAP_WRITE) == > >-1) > >+ fatal("%s: failed to limit the network socket", __func__); > >+ if (cap_rights_limit(box->monitor->m_log_sendfd, CAP_WRITE) == -1) > >+ fatal("%s: failed to limit the logging socket", __func__); > > Are there any other fds open at this point? How about 0, 1 and 2 - > could they be limited? Yep, we can limit them completely. No read and write possible on 0,1 & 2. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
