Skip to content

Use sandbox for privilege separation #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 6, 2015
Merged

Use sandbox for privilege separation #42

merged 1 commit into from
Feb 6, 2015

Conversation

gdestuynder
Copy link
Contributor

As per https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
See also man sshd_config - uses kernel features (such as seccomp on openssh portable + linux) to sandbox the unprivilegied processes. It fallsback to rlimit sandbox when other sandboxes are not available.

@arlimus
Copy link
Member

arlimus commented Feb 2, 2015

@gdestuynder Great suggestion! We'll update the tests and get this merged, thank you!

@arlimus arlimus mentioned this pull request Feb 5, 2015
Merged
arlimus added a commit to dev-sec/chef-ssh-hardening that referenced this pull request Feb 5, 2015
@arlimus
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
49720cb 
See:
* dev-sec/puppet-ssh-hardening#42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
arlimus added a commit to dev-sec/chef-ssh-hardening that referenced this pull request Feb 5, 2015
@arlimus
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
87b93ec 
See:
* dev-sec/puppet-ssh-hardening#42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
arlimus added a commit that referenced this pull request Feb 5, 2015
@arlimus
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
ea9cec6 
See:
* #42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
arlimus added a commit that referenced this pull request Feb 5, 2015
@arlimus
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
8288c20 
See:
* #42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
arlimus added a commit to dev-sec/chef-ssh-hardening that referenced this pull request Feb 5, 2015
@arlimus @chris-rock
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
c86fdc0 
See:
* dev-sec/puppet-ssh-hardening#42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
@arlimus arlimus mentioned this pull request Feb 6, 2015
Merged
arlimus added a commit that referenced this pull request Feb 6, 2015
@arlimus
Merge pull request #42 from gdestuynder/gdestuynder-patch-1
69d463e 
Use sandbox for privilege separation
@arlimus arlimus merged commit 69d463e into dev-sec:master Feb 6, 2015
@arlimus
Copy link
Member

arlimus commented Feb 6, 2015

Thank you @gdestuynder !

I'll add the OS detection part (for e.g. RedHat 6 and family) on top.

arlimus added a commit that referenced this pull request Feb 6, 2015
@arlimus
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
a08a169 
See:
* #42
* dev-sec/ssh-baseline#44

Signed-off-by: Dominik Richter <[email protected]>
@arlimus arlimus mentioned this pull request Feb 6, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gdestuynder @arlimus