upstream commit

Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a

diff --git a/servconf.c b/servconf.c
index 725886e8c686221ce5d0c5ea18912ab1675b5bf0..56b831652f5391c2258c5ec4b58aaeb8a48acf4e 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.305 2017/03/10 04:11:00 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -535,7 +535,7 @@ static struct {
        { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
        { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
        { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
-       { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
+       { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
        { "acceptenv", sAcceptEnv, SSHCFG_ALL },
        { "permittunnel", sPermitTunnel, SSHCFG_ALL },
        { "permittty", sPermitTTY, SSHCFG_ALL },
@@ -1374,11 +1374,6 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->disable_forwarding;
                goto parse_flag;
 
-       case sUsePrivilegeSeparation:
-               intptr = &use_privsep;
-               multistate_ptr = multistate_privsep;
-               goto parse_multistate;
-
        case sAllowUsers:
                while ((arg = strdelim(&cp)) && *arg != '\0') {
                        if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2107,8 +2102,6 @@ fmt_intarg(ServerOpCodes code, int val)
                return fmt_multistate_int(val, multistate_gatewayports);
        case sCompression:
                return fmt_multistate_int(val, multistate_compression);
-       case sUsePrivilegeSeparation:
-               return fmt_multistate_int(val, multistate_privsep);
        case sAllowTcpForwarding:
                return fmt_multistate_int(val, multistate_tcpfwd);
        case sAllowStreamLocalForwarding:
@@ -2284,7 +2277,6 @@ dump_config(ServerOptions *o)
        dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
        dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
        dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
-       dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
        dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 
        /* string arguments */

diff --git a/sshd_config b/sshd_config
index 9f09e4a6e7dff18b2df42a1558be405990cabd70..4eb2e02e044851a74c010ad7cb4e71fc4dd0afe4 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#      $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+#      $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -93,7 +93,6 @@ AuthorizedKeysFile    .ssh/authorized_keys
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0

diff --git a/sshd_config.5 b/sshd_config.5
index 454e46e0b74703d85942e97bc4909dca4b7f0733..ac6ccc793fbe3652b345be538fc119b40342495e 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $
-.Dd $Mdocdate: February 3 2017 $
+.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $
+.Dd $Mdocdate: March 14 2017 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1494,28 +1494,6 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Cm no .
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Xr sshd 8
-separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The argument must be
-.Cm yes ,
-.Cm no ,
-or
-.Cm sandbox .
-If
-.Cm UsePrivilegeSeparation
-is set to
-.Cm sandbox
-then the pre-authentication unprivileged process is subject to additional
-restrictions.
-The default is
-.Cm sandbox .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.