similar to: sandbox-rlimit and ptrace.

Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write access to bpf. - Access to RAW

Hi all. I have an old windows VM with an oldish cygwin that I use for the regression tests. Investigating one of the test failures, I see that it's for UsePrivilegeSeparation=sandbox, and it seems to be because setrlimit(RLIMIT_FSIZE, ...) is not supported. IMO, this isn't a big loss, since the most useful thing in the rlimit "sandbox" is the descriptor limits. Can anyone see

Hi. I can see that SSH partial success functionality was implemented very recently in the OpenSSH server. That's great news. I just tried it and I don't seem to be able to make it work with both public key authentication and password authentication through PAM. I wonder if this is a bug or something that won't be implemented for now or if this is still WIP and I should be more

Hi. OpenSSH currently has its own implementation of AES in counter mode (cipher-ctr.c). This is probably because it wasn't available in OpenSSL. From what I see now, recent OpenSSL does implement EVP_aes_{128,192,256}_ctr() and it would be nice to use it whenever possible. The gain here is that OpenSSH's version uses software AES implementation and OpenSSL's version will use AES-NI if

Hi. I can''t reach Brendan Gregg with this question (user unknown, he doesn''t work for Oracle anymore?), so I''m sending it here: FreeBSD users report much better performance and lower disk and CPU load when L2ARC also holds prefetched data (l2arc_noprefetch = B_FALSE). I was wondering what was the reason to avoid storing prefetched data on L2ARC vdevs by default. --

Hello. I'm pleased to announce that the registration for the EuroBSDcon 2012 conference in Warsaw, Poland is now officially open! You can find all information about the conference at its official website: http://2012.eurobsdcon.org/ More frequent updates will be posted to the conference's Facebook page: https://www.facebook.com/pages/EuroBSDcon/171013546286700 and on Twitter:

http://bugzilla.mindrot.org/show_bug.cgi?id=745 Summary: agent-ptrace.sh fails Product: Portable OpenSSH Version: -current Platform: All OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-bugs at mindrot.org ReportedBy: mmokrejs at

Attached is a simple patch to fix the return value from the 64-bit kernel when you call with a bad system call number with tracing enabled (for either ptrace or audit). What should happen is that the user process gets a -ENOSYS return call from the syscall; what actually happens (only in the 64-bit kernel) is that you get back the system call number. The 32-bit kernel does not suffer from this

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I''m running htb on an 2.4.20 with the linux-2.4.20-ptrace.patch and now the messages in my syslog changed. specially, what is net-pf-14? I didn''t change anything else, just applied the patch and installed the kernel Mar 20 15:33:54 stovokor kernel: HTB: quantum of class 10001 is big. Consider r2q change.<4>HTB: quantum

Initially, was receiving the wine error when logging in... After applying the ptrace 'fix'... it sits there at 'connected'.... Anyone else experiencing this?

Hi, The systrace and rlimit sandboxes have been committed and will be in snapshots dated 20110623 and later. This diff adds support for pre-auth privsep sandboxing using the OS X sandbox_init(3) service. It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to

Hi. I experimented a bit with collecting entropy from the time it takes for device_attach() to run (in CPU cycles). It seems that those times have enough variation that we can use it for entropy harvesting. It happens even before root is mounted, so pretty early. On the machine I'm testing it, which has minimal kernel plus NIC driver I see 75 device_attach() calls. I'm being very careful

Bill Moran wrote: > This report seems pretty vague. I'm unsure as to whether the alleged > "bug" gives the user any more permissions than he'd already have? Anyone > know any details? This is a local denial of service bug, which was fixed 6 weeks ago in HEAD and RELENG_6. There is no opportunity for either remote denial of service or any privilege escalation. >

Recently I''ve found out some mentions to the "--sandbox" parameter to the "rails console" command. And I found the idea interesting, but since I''m using Sequel instead of ActiveRecord I guessed this wouldn''t work for me. But after talking about this subject in the Sequel mailing list, Jeremy Evans has brought to my attention that there are some

Hello! We are proudly announce that CerbNG-1.0 Release Candidate 2 is now avaliable. There are many changes from RC1 (many new functionalities, some bug fixes, new interesting policies, new regression tests and more). It seems that CerbNG is stable for now, so we hope that the next version is going to be final 1.0 series release. We count on feedback from FreeBSD community in founding bugs (if

Hello! We are proudly announce that CerbNG-1.0 Release Candidate 2 is now avaliable. There are many changes from RC1 (many new functionalities, some bug fixes, new interesting policies, new regression tests and more). It seems that CerbNG is stable for now, so we hope that the next version is going to be final 1.0 series release. We count on feedback from FreeBSD community in founding bugs (if

? 2007-3-15???8:00?freebsd-security-request@freebsd.org ??? > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org

https://bugzilla.mindrot.org/show_bug.cgi?id=2011 Bug #: 2011 Summary: sandbox selection needs some kind of fallback mechanism Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2

Hi, for ia64, I''d like to add xc_domain_setdebugging() in the xenctrl API. This patch implements it and modifies xc_ptrace.c to use it. The rationnal is enabling debugging tool not based on the ptrace API. The ptrace API is based on Linux ptrace which (at least on ia64) doesn''t have many privilegied registers. I''d prefer this patch being integrated on

Hello, FYI: A FreeBSD user suggested that this issue requires a security advisory. The issue has been public for some time, but currently, FreeBSD does not issue advisories for local denial-of-service issues. It is expected that this bug will soon be fixed in FreeBSD 4.x (it is already fixed in FreeBSD 5.x, as you can see below). Cheers, -- Jacques Vidrine <nectar@freebsd.org> -----