Displaying 20 results from an estimated 2000 matches similar to: "sandbox-rlimit and ptrace."
2013 Jun 08
1
Request for review: Sandboxing dhclient using Capsicum.
Hi.
I have a series of patches to sandbox dhclient using Capsicum
(capability mode and capability rights for descriptors).
As usual, because chroot and setgid/setuid are not sandboxing
mechanisms, there are many problems with the current sandboxing:
- Access to various global namespaces (like process list, network, etc.).
- Access to RAW UDP socket.
- Read/write access to bpf.
- Access to RAW
2012 Jul 02
1
rlimit sandbox on cygwin
Hi all.
I have an old windows VM with an oldish cygwin that I use for the
regression tests. Investigating one of the test failures, I see that
it's for UsePrivilegeSeparation=sandbox, and it seems to be because
setrlimit(RLIMIT_FSIZE, ...) is not supported.
IMO, this isn't a big loss, since the most useful thing in the rlimit
"sandbox" is the descriptor limits. Can anyone see
2012 Nov 22
1
AuthenticationMethods option.
Hi.
I can see that SSH partial success functionality was implemented very
recently in the OpenSSH server. That's great news.
I just tried it and I don't seem to be able to make it work with both
public key authentication and password authentication through PAM.
I wonder if this is a bug or something that won't be implemented for now
or if this is still WIP and I should be more
2012 Dec 11
1
evp_aes_<X>_ctr() vs. EVP_aes_<X>_ctr().
Hi.
OpenSSH currently has its own implementation of AES in counter mode
(cipher-ctr.c). This is probably because it wasn't available in OpenSSL.
From what I see now, recent OpenSSL does implement
EVP_aes_{128,192,256}_ctr() and it would be nice to use it whenever
possible. The gain here is that OpenSSH's version uses software AES
implementation and OpenSSL's version will use AES-NI if
2011 Jan 10
0
L2ARC and prefetched data.
Hi.
I can''t reach Brendan Gregg with this question (user unknown, he doesn''t
work for Oracle anymore?), so I''m sending it here:
FreeBSD users report much better performance and lower disk and CPU load
when L2ARC also holds prefetched data (l2arc_noprefetch = B_FALSE).
I was wondering what was the reason to avoid storing prefetched data on
L2ARC vdevs by default.
--
2012 Jul 30
0
EuroBSDcon 2012 registration is now open!
Hello.
I'm pleased to announce that the registration for the EuroBSDcon 2012
conference in Warsaw, Poland is now officially open!
You can find all information about the conference at its official website:
http://2012.eurobsdcon.org/
More frequent updates will be posted to the conference's Facebook page:
https://www.facebook.com/pages/EuroBSDcon/171013546286700
and on Twitter:
2003 Oct 17
9
[Bug 745] agent-ptrace.sh fails
http://bugzilla.mindrot.org/show_bug.cgi?id=745
Summary: agent-ptrace.sh fails
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: OSF/1
Status: NEW
Severity: normal
Priority: P2
Component: Build system
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: mmokrejs at
2008 Jun 30
2
[PATCH]: Fix syscall return code when ptrace or audit is active
Attached is a simple patch to fix the return value from the 64-bit kernel when
you call with a bad system call number with tracing enabled (for either ptrace
or audit). What should happen is that the user process gets a -ENOSYS return
call from the syscall; what actually happens (only in the 64-bit kernel) is that
you get back the system call number. The 32-bit kernel does not suffer from
this
2003 Mar 20
0
htb after ptrace patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
I''m running htb on an 2.4.20 with the linux-2.4.20-ptrace.patch and now the
messages in my syslog changed. specially, what is net-pf-14?
I didn''t change anything else, just applied the patch and installed the kernel
Mar 20 15:33:54 stovokor kernel: HTB: quantum of class 10001 is big. Consider
r2q change.<4>HTB: quantum
2010 Oct 09
1
WoW 3.3.5 - Stuck at 'connected'... after ptrace fix
Initially, was receiving the wine error when logging in... After applying the ptrace 'fix'... it sits there at 'connected'....
Anyone else experiencing this?
2011 Jun 23
1
sandbox for OS X
Hi,
The systrace and rlimit sandboxes have been committed and will be in
snapshots dated 20110623 and later. This diff adds support for
pre-auth privsep sandboxing using the OS X sandbox_init(3) service.
It's a bit disappointing that the OS X developers chose such as
namespace-polluting header and function names "sandbox.h",
"sandbox_init()", etc. It already forced me to
2012 Sep 18
8
Collecting entropy from device_attach() times.
Hi.
I experimented a bit with collecting entropy from the time it takes for
device_attach() to run (in CPU cycles). It seems that those times have
enough variation that we can use it for entropy harvesting. It happens
even before root is mounted, so pretty early.
On the machine I'm testing it, which has minimal kernel plus NIC driver
I see 75 device_attach() calls. I'm being very careful
2006 Oct 10
3
iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
Bill Moran wrote:
> This report seems pretty vague. I'm unsure as to whether the alleged
> "bug" gives the user any more permissions than he'd already have? Anyone
> know any details?
This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
and RELENG_6. There is no opportunity for either remote denial of service
or any privilege escalation.
>
2012 Apr 27
3
rails console --sandbox is only half-baked
Recently I''ve found out some mentions to the "--sandbox" parameter to
the "rails console" command.
And I found the idea interesting, but since I''m using Sequel instead of
ActiveRecord I guessed this wouldn''t work for me.
But after talking about this subject in the Sequel mailing list, Jeremy
Evans has brought to my attention that there are some
2003 Jun 10
2
CerbNG v1.0-RC2 is now avaliable!
Hello!
We are proudly announce that CerbNG-1.0 Release Candidate 2 is now
avaliable.
There are many changes from RC1 (many new functionalities, some bug fixes,
new interesting policies, new regression tests and more).
It seems that CerbNG is stable for now, so we hope that the next version
is going to be final 1.0 series release. We count on feedback from
FreeBSD community in founding bugs (if
2003 Jun 10
2
CerbNG v1.0-RC2 is now avaliable!
Hello!
We are proudly announce that CerbNG-1.0 Release Candidate 2 is now
avaliable.
There are many changes from RC1 (many new functionalities, some bug fixes,
new interesting policies, new regression tests and more).
It seems that CerbNG is stable for now, so we hope that the next version
is going to be final 1.0 series release. We count on feedback from
FreeBSD community in founding bugs (if
2007 Mar 16
0
freebsd-security Digest, Vol 201, Issue 2
? 2007-3-15???8:00?freebsd-security-request@freebsd.org ???
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> freebsd-security-request@freebsd.org
2012 May 18
6
[Bug 2011] New: sandbox selection needs some kind of fallback mechanism
https://bugzilla.mindrot.org/show_bug.cgi?id=2011
Bug #: 2011
Summary: sandbox selection needs some kind of fallback
mechanism
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
2007 Jun 23
2
PATCH: add xc_domain_setdebugging in xenctrl API
Hi,
for ia64, I''d like to add xc_domain_setdebugging() in the xenctrl API.
This patch implements it and modifies xc_ptrace.c to use it.
The rationnal is enabling debugging tool not based on the ptrace API.
The ptrace API is based on Linux ptrace which (at least on ia64) doesn''t
have many privilegied registers.
I''d prefer this patch being integrated on
2004 May 07
0
Fwd: [Re: cvs commit: src/sys/vm vm_map.c]
Hello,
FYI:
A FreeBSD user suggested that this issue requires a security advisory.
The issue has been public for some time, but currently, FreeBSD does not
issue advisories for local denial-of-service issues. It is expected
that this bug will soon be fixed in FreeBSD 4.x (it is already fixed
in FreeBSD 5.x, as you can see below).
Cheers,
--
Jacques Vidrine <nectar@freebsd.org>
-----