search for: capsicum

https://bugzilla.mindrot.org/show_bug.cgi?id=2140 Bug ID: 2140 Summary: Capsicum support for FreeBSD 10 (-current) Product: Portable OpenSSH Version: -current Hardware: All OS: FreeBSD Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mind...

FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> a few years ago to avoid future conflicts with POSIX capabilities. There is still a stub for compatibility, but it would be better not to rely on it. DES -- Dag-Erling Sm?rgrav - des at des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-caps...

Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write...

...20221203031619.0Z > > whenChanged: 20221203031619.0Z > > uSNCreated: 5428 > > uSNChanged: 5428 > > showInAdvancedViewOnly: TRUE > > name: Infrastructure > > objectGUID: e27698d8-a43b-4b74-8e51-91cf1b6cdaf3 > > fSMORoleOwner: CN=NTDS > Settings,CN=CAPSICUM,CN=Servers,CN=Balewan-Orchards,CN=Sites,CN=Configuration,DC=balewan,DC=pegasusnz,DC=com Hmm, so it isn't in the 'Default-First-Site-Name' site, I wonder if this is the problem ? Let me go and have a read of the code and get back to you. Rowland

...re an example. A seemingly little detail (loopback mounter only mounting single file system) can have your wheels spinning for days. Time lost is money lost if you ask me. Some days I have so many of these issues that I wish I could just go back into the Marine Corps, take face full of oleoresin capsicum (http://oleoresin-capsicum.com/), and join my military poilice unit again. WAIT! No I don't! I take it back!

...ss: infrastructureUpdate cn: Infrastructure instanceType: 4 whenCreated: 20221203031619.0Z whenChanged: 20221203031619.0Z uSNCreated: 5428 uSNChanged: 5428 showInAdvancedViewOnly: TRUE name: Infrastructure objectGUID: e27698d8-a43b-4b74-8e51-91cf1b6cdaf3 fSMORoleOwner: CN=NTDS Settings,CN=CAPSICUM,CN=Servers,CN=Balewan-Orchards,CN=Sites,CN=Configuration,DC=balewan,DC=pegasusnz,DC=com systemFlags: -1946157056 objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=balewan ?,DC=pegasusnz,DC=com isCriticalSystemObject: TRUE distinguishedName: CN=Infrastructure,DC=DomainDnsZ...

...Though 11.0-RELEASE was not finalized until after the period covered in this report, we can still have some anticipatory excitement for the features that will be coming in 12.0. The possibilities are tantalizing: a base system with no GPL components, arm64 as a Tier-1 architecture, capsicum protection for common utilities, and the CloudABI for custom software are just a few. The work of the present is no less exciting, with 11.0 making its way out just after the end of Q3, the new core coming into its own, and much more that you'll have to read and find out. --Ben...

...Though 11.0-RELEASE was not finalized until after the period covered in this report, we can still have some anticipatory excitement for the features that will be coming in 12.0. The possibilities are tantalizing: a base system with no GPL components, arm64 as a Tier-1 architecture, capsicum protection for common utilities, and the CloudABI for custom software are just a few. The work of the present is no less exciting, with 11.0 making its way out just after the end of Q3, the new core coming into its own, and much more that you'll have to read and find out. --Ben...

...when BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-sensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you...

https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Bug ID: 2142 Summary: openssh sandboxing using libseccomp Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

On 16/01/2023 10:16, Callum G. MacEwan via samba wrote: > Hi Team > > I am transferring to a new AD DC > > So I started transferring the fsmo roles the first five transferred fine > the domaindns and forestdns had the following error! > > root at DC2:/etc/sudoers.d#? samba-tool fsmo transfer --role=forestdns > -UAdministrator > Password for

...hen BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Checksums: ========== - SHA1 (openssh-6.6.tar.gz) = bf932d798324ff2502409d3714d0ad8d65c7e1e7 - SHA256 (openssh-6.6.tar.gz) = jaSJE5aiQRm+91dV6EvVGr/ozo33tbxyjjFSiu+Cy80= - S...

...hen BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Checksums: ========== - SHA1 (openssh-6.6.tar.gz) = bf932d798324ff2502409d3714d0ad8d65c7e1e7 - SHA256 (openssh-6.6.tar.gz) = jaSJE5aiQRm+91dV6EvVGr/ozo33tbxyjjFSiu+Cy80= - S...

...esses to zero, which should prevent the privsep child from forking or opening new network connections. Sandboxing of the privilege separated child process is currently experimental but should become the default in a future release. Native sandboxes for other platforms are welcome (e.g. Capsicum, Linux pid/net namespaces, etc.) * Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and s...

...esses to zero, which should prevent the privsep child from forking or opening new network connections. Sandboxing of the privilege separated child process is currently experimental but should become the default in a future release. Native sandboxes for other platforms are welcome (e.g. Capsicum, Linux pid/net namespaces, etc.) * Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and s...

Also what exact distro and version are you having the problem on and what version of ld does it have? Mine is $ ld --version GNU ld version 2.29.1-23.fc28 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

On Mon, Nov 13, 2017 at 01:46:32PM -0800, Davide Italiano wrote: > On Mon, Nov 13, 2017 at 11:48 AM, Rafael Avila de Espindola > <rafael.espindola at gmail.com> wrote: > > Davide Italiano <davide.italiano at gmail.com> writes: > > > >>> I couldn't find any support for this on FreeBSD. > >>> > >> > >> AFAIK FreeBSD supports

hi On 6/7/18 4:03 PM, Darren Tucker wrote: > On 8 June 2018 at 07:09, PGNet Dev <pgnet.dev at gmail.com> wrote: >> Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' > [...] >> Should the retpoline flag be getting added? If so, what's needed to make LD happy with it? > >

FreeBSD Community, I'm pleased to announce a CFT for builds of FreeBSD 12-stable and 13-current using "TrueOS-inspired" packaged base. These are stock FreeBSD images which will allow users to perform all updating via the 'pkg' command directly. Rather than trying to answer all questions in this announcement, we've created a FAQ page with more details. Please refer to

...stack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option. * sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10. * Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own. * sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart. * sshd(8): bz#2032: use local username in krb5_kuserok chec...