Your message dated Sat, 24 Dec 2016 13:50:21 +0000
with message-id <[email protected]>
and subject line Re: Bug#742486: the sshd sanbox complains about socketcall(2)
has caused the Debian Bug report #742486,
regarding the sshd sandbox complains about socketcall(2)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
742486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742486
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-server
Version: 1:6.5p1-6
Severity: normal
If I use "UsePrivilegeSeparation sandbox" then this is logged every time a
login attempt fails:
Mar 21 04:59:34 bongo kernel: [1746352.182111] type=1326
audit(1395374374.299:1020): auid=4294967295 uid=103 gid=65534 ses=4294967295
pid=17813 comm="sshd" sig=31 syscall=102 compat=1 ip=0xf7637430 code=0x0
#define __NR_socketcall 102
I do not think that socketcall(2) should be permitted since it would
allow an attacker who took control of the process to create new sockets,
but maybe sshd could be fixed to not use it (is it for logging?).
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii dpkg 1.17.6
ii init-system-helpers 1.18
ii libc6 2.18-4
ii libcomerr2 1.42.9-3
ii libgssapi-krb5-2 1.12.1+dfsg-1
ii libkrb5-3 1.12.1+dfsg-1
ii libpam-modules 1.1.8-2
ii libpam-runtime 1.1.8-2
ii libpam0g 1.1.8-2
ii libselinux1 2.2.2-1
ii libssl1.0.0 1.0.1f-1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian12
ii openssh-client 1:6.5p1-6
ii openssh-sftp-server 1:6.5p1-6
ii procps 1:3.3.9-4
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages openssh-server recommends:
pn ncurses-term <none>
ii xauth 1:1.0.7-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information excluded
--
ciao,
Marco
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:6.9p1-1
On Mon, Mar 24, 2014 at 07:40:15AM +0100, Marco d'Itri wrote:
> If I use "UsePrivilegeSeparation sandbox" then this is logged every time a
> login attempt fails:
>
> Mar 21 04:59:34 bongo kernel: [1746352.182111] type=1326
> audit(1395374374.299:1020): auid=4294967295 uid=103 gid=65534 ses=4294967295
> pid=17813 comm="sshd" sig=31 syscall=102 compat=1 ip=0xf7637430 code=0x0
>
> #define __NR_socketcall 102
>
> I do not think that socketcall(2) should be permitted since it would
> allow an attacker who took control of the process to create new sockets,
> but maybe sshd could be fixed to not use it (is it for logging?).
I believe it's for shutdown(2). sshd was fixed to allow socketcall(2)
with just this first argument in 6.9p1.
Thanks,
--
Colin Watson [[email protected]]
--- End Message ---
