search for: pr_set_no_new_privs

Displaying 7 results from an estimated 7 matches for "pr_set_no_new_privs".

2013 Feb 02
2
Relaxing strict chroot checks on recent Linux kernels?
At the risk of beating a dead horse, I'd like to see the chroot security checks relaxed a bit. On newer Linux kernels, there's a prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) that prevents privilege elevation (via setuid binaries, etc) for the caller and all of its descendants. That means that chroot(untrusted directory), prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), setreuid(uid, uid), execve(a shell) is safe [1], even if the user can hardlink setuid programs i...
2023 Dec 02
33
[Bug 3639] New: server thread aborts during client login after receiving SSH2_MSG_KEXINIT
https://bugzilla.mindrot.org/show_bug.cgi?id=3639 Bug ID: 3639 Summary: server thread aborts during client login after receiving SSH2_MSG_KEXINIT Product: Portable OpenSSH Version: 9.2p1 Hardware: ARM OS: Linux Status: NEW Severity: critical Priority: P5 Component:
2022 Dec 20
33
[Bug 3512] New: net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)
...aring seccomp filter sandbox debug2: Network child is on pid 5800 debug3: preauth child monitor started debug3: privsep user:group 22:22 [preauth] debug1: permanently_set_uid: 22/22 [preauth] debug3: ssh_sandbox_child_debugging: installing SIGSYS handler [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] fatal: ssh_sandbox_violation: unexpec...
2016 Jun 17
14
[Bug 2590] New: Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Bug ID: 2590 Summary: Seccomp filter for missing architectures Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd
2023 Jun 30
1
Subsystem sftp invoked even though forced command created
On 30/06/2023 09:56, Damien Miller wrote: > It's very hard to figure out what is happening here without a debug log. > > You can get one by stopping the listening sshd and running it manually > in debug mode, e.g. "/usr/sbin/sshd -ddd" Or starting one in debug mode on a different port, e.g. "-p99 -ddd"
2019 Oct 31
37
[Bug 3085] New: seccomp issue after upgrading openssl
...x04000000 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 17293 debug3: preauth child monitor started debug3: privsep user:group 39:38 [preauth] debug1: permanently_set_uid: 39/38 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 17293 Adding --with-sandbox=rlimit to the configure options solved the problem so it mu...
2020 Jul 07
3
libssh2 is hanging during a file transfert
...7 11:52:15 TOTO sshd[19126]: debug3: preauth child monitor started Jul 7 11:52:15 TOTO sshd[19126]: debug3: privsep user:group 106:65534 [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug1: permanently_set_uid: 106/65534 [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: send packet: type 20 [preauth] Jul 7...