#47798 closed defect (fixed)
openssh sandboxing broken on 10.10
| Reported by: | danielluke (Daniel J. Luke) | Owned by: | macports-tickets@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.3.3 |
| Keywords: | Cc: | Ionic (Mihai Moldovan) | |
| Port: | openssh |
Description
Macports openssh sshd with UsePrivilegeSeparation sandbox (the default) fails on 10.10 with "chroot("/opt/local/var/empty"): Operation not permitted [preauth]"
System log says: sandboxd[587] ([36016]): sshd(36016) deny file-read-metadata /opt
I verified that "UsePrivilegeSeparation yes" works, and also that re-building with --with-privsep-path=/var/empty also works. (We could probably also alter the sandbox file that we ship, but I'm not sure it's necessary for us to have our own /var/empty sitting in $prefix).
Attachments (1)
Change History (6)
Changed 9 years ago by danielluke (Daniel J. Luke)
| Attachment: | privsep_patch.diff added |
|---|
comment:1 Changed 9 years ago by danielluke (Daniel J. Luke)
If there are no objections, I'll commit this (if there's a good reason to use our own ${prefix}/var/empty instead, let me know - preferably with a tested patch to the sandbox file ;-) ).
comment:2 Changed 9 years ago by neverpanic (Clemens Lang)
As the guy that originally fixed the sandboxing a while ago, this looks good to me.
comment:3 Changed 9 years ago by danielluke (Daniel J. Luke)
thanks for the review - committed in r136548
comment:4 Changed 9 years ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:5 Changed 9 years ago by Ionic (Mihai Moldovan)
Hmm, no idea. Maybe it's not a bad idea to have this stuff separated completely, but then again the difference should be nil. The directory is empty and presumably only used for chrooting.
As long as you do not change the run dir, go ahead.
use /var/empty instead of ${prefix}/var/empty