similar to: privilege separation breaks dns lookups

There are a couple of niggles with the sandboxing of the unprivileged child in the privsep code: the empty directory causes namespace pollution, and it requires care to ensure that it is set up properly and remains set up properly. The patch below (against the portable OpenSSH, although the patch against the OpenBSD version is very similar) replaces the fixed empty directory with one that is

openssh 3.7p1 sshd on Solaris 8 / sparcv9: sshd runs fine, and starts to allow the login. However, when reading from /etc/default/login, I get a bus error. I am able to get sshd to work by commenting out these lines in session.c: 1015,1018c1015 < # ifdef HAVE_ETC_DEFAULT_LOGIN < read_etc_default_login(&env, &envsize, pw->pw_uid); < path =

subscribe openssh-unix-dev at mindrot.org > Send openssh-unix-dev mailing list submissions to > openssh-unix-dev at mindrot.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > or, via email, send a message with subject or body 'help' to > openssh-unix-dev-request at mindrot.org >

When you give sftp-server a bogus -l or -f parameter, it logs a useful error message then blunders on to call log_init() with the bogus value. log_init() then prints a less useful message to stderr and exits. The following patch tidies this up by only printing the more useful error to stderr and not blundering on afterwards. --- sftp-server.c.orig Mon Jun 18 16:37:46 2007 +++ sftp-server.c Mon

There are a couple of races in sftp-server as this patch shows: --- sftp-server.c 28 Jan 2003 18:06:53 -0000 1.1.1.2 +++ sftp-server.c 5 Feb 2003 19:19:42 -0000 @@ -832,19 +832,22 @@ process_rename(void) { u_int32_t id; - struct stat st; char *oldpath, *newpath; - int ret, status = SSH2_FX_FAILURE; + int status; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL);

The patch below implements a couple of features which are useful in an environment where users do not have a regular shell login. It allows you to selectively disable certain features on a system-wide level for users with a certain shell; it also allows you to control and audit TCP forwarding in more detail. Our system is an email server with a menu for the login shell; we selectively allow port

Hello. I have some doubts about this commit: 09d60499af3acef2ba9bd7be15e8d1c44249f8d5 Always call res_init() before getaddrinfo(). Im not sure if this is really a good idea to call res_init() so often. In UNIX, resolv.conf does NOT really change.. and if it changes ever.. its not a problem to restart affected processes. Does anyone think about any ill-effects res_init() can do when called

--- ssh-rand-helper.c.orig Mon Jun 18 16:48:13 2007 +++ ssh-rand-helper.c Mon Jun 18 16:47:32 2007 @@ -31,7 +31,7 @@ #include <sys/socket.h> #include <stdarg.h> -#include <stddef.h> +#include <string.h> #include <netinet/in.h> #include <arpa/inet.h> Tony. -- f.a.n.finch <dot at dotat.at> http://dotat.at/ SHANNON ROCKALL: EAST OR NORTHEAST

There is a race in the setup of the ControlMaster socket in auto mode, as illustrated by the following command line: ssh -oControlMaster=auto -oControlPath=sock localhost 'sleep 1; echo 1' & ssh -oControlMaster=auto -oControlPath=sock localhost 'sleep 2; echo 2' & Both of the commands will try to start up as a control client, find that sock does not exist, and switch into

http://bugzilla.mindrot.org/show_bug.cgi?id=313 Summary: undefined type in older cc's Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

Hello, I have dowloaded all that is required to build a working OpenSSH on HP-UX 10.20 from the HP-UX Porting and Archibve centre (this seems to be the only way to go for 10.20). Make/install of all prerequisites has scucceeded. Now make of openssh-3.7.1p2 gives the following: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/openssl-0.9.7b/include

http://bugzilla.mindrot.org/show_bug.cgi?id=146 Summary: OpenSSH 3.1p1 will not build on BSD/OS 4.2/4.1/4.01 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: BSDI Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org

On Sun, Feb 1, 2015 at 11:19 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sun, Feb 01, 2015 at 04:08:47PM +0900, crocket wrote: > >> If tincd is started before name resolution comes up, it keeps failing >> for ever to resolve domain names in Address= host configuration >> variable after name resolution becomes possible. >> >> I think tincd should

William Kennington <william at wkennington.com> writes: > Agreed. > On Feb 1, 2015 4:21 AM, "Etienne Dechamps" <etienne at edechamps.fr> wrote: > >> Considering how cheap that operation seems to be, would it make sense >> to call res_init() every time tinc retries a metaconnection? It's not >> doing that very often anyway... and it would solve

On Mon, Feb 09, 2015 at 10:57:05AM +0100, Florian Klink wrote: > I have some hosts which converted to systemd-networkd (which doesn't > support hooks by now), and most of the time, tinc simply won't come up > after bootup (or won't be able to reconnect when the network is > changed), which is really ugly. > > Having a local dns in front is somewhat hacky, I'd

http://bugzilla.mindrot.org/show_bug.cgi?id=146 ------- Additional Comments From mouring at eviladmin.org 2002-03-08 07:38 ------- I just went through someone with this problem. And HAVE_BOGUS_SYS_QUEUE_H worked for them. However you must have BOTH HAVE_SYS_QUEUE_H and HAVE_BOGUS_SYS_QUEUE_H set. As for INADDR_LOOPBACK. I'd like to know where on BSD/OS that is defined so we can

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

We're using rsync to update the tables on our email relays, and very occasionally we get an error in the logs saying that a table has the wrong permissions. This is because of race conditions in finish_transfer() which mean that it does not update files atomically. This makes rsync not entirely safe to use in our situation, where the files being synced are frequently opened for short periods

We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment

Hi, Brand-new installation of FreeBSD 4.8 + 'make world', including updating ports, sources, crypt/secure sources and everything. When trying to compile bind8 from ports, this is the error that get reported: ===> Building for bind-8.3.6 Using .systype Using .settings /var/tmp/usr/ports/net/bind8/work/src/include /var/tmp/usr/ports/net/bind8/work/src/include/arpa