kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
- platform-pledge.o
+ platform.o platform-pledge.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- audit.o audit-bsm.o audit-linux.o platform.o \
+ audit.o audit-bsm.o audit-linux.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
#include "includes.h"
#include <sys/types.h>
+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
+#endif
#include <stdarg.h>
#include <unistd.h>
#endif
return 0;
}
+
+void
+platform_disable_tracing(int strict)
+{
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
+ if (prctl(PR_SET_DUMPABLE, 0) != 0)
+ if (strict)
+ fatal("unable to make the process undumpable");
+#endif
+}
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_sys_dir_uid(uid_t);
+void platform_disable_tracing(int);
/* in platform-pledge.c */
void platform_pledge_agent(void);
#ifdef HAVE_SYS_STATVFS_H
#include <sys/statvfs.h>
#endif
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#endif
#include <dirent.h>
#include <errno.h>
log_init(__progname, log_level, log_facility, log_stderr);
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/*
- * On Linux, we should try to avoid making /proc/self/{mem,maps}
+ * On platforms where we can, avoid making /proc/self/{mem,maps}
* available to the user so that sftp access doesn't automatically
* imply arbitrary code execution access that will break
* restricted configurations.
*/
- if (prctl(PR_SET_DUMPABLE, 0) != 0)
- fatal("unable to make the process undumpable");
-#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
+ platform_disable_tracing(1); /* strict */
/* Drop any fine-grained privileges we don't need */
platform_pledge_sftp_server();
#include "ssh-pkcs11.h"
#endif
-#if defined(HAVE_SYS_PRCTL_H)
-#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
-#endif
-
typedef enum {
AUTH_UNUSED,
AUTH_SOCKET,
setegid(getgid());
setgid(getgid());
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /* Disable ptrace on Linux without sgid bit */
- prctl(PR_SET_DUMPABLE, 0);
-#endif
+ platform_disable_tracing(0); /* strict=no */
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
projects / thirdparty / openssh-portable.git / commitdiff
