- (djm) On platforms that support it, use prctl() to prevent sftp-server

from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2024-11-23 18:23:25 +08:00 · 2014-04-01 14:38:07 +11:00 · 2014-04-01 14:38:07 +11:00 · 14928b7492
commit 14928b7492
parent 48abc47e60
2 changed files with 18 additions and 0 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+20140401
+ - (djm) On platforms that support it, use prctl() to prevent sftp-server
+   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
+
 20140317
 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
   remind myself to add sandbox violation logging via the log socket.
--- a/sftp-server.c
+++ b/sftp-server.c
@ -29,6 +29,9 @@
 #ifdef HAVE_SYS_STATVFS_H
 #include <sys/statvfs.h>
 #endif
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif

 #include <dirent.h>
 #include <errno.h>
@ -1523,6 +1526,17 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)

 	log_init(__progname, log_level, log_facility, log_stderr);

+#ifdef HAVE_PRCTL
+	/*
+	 * On Linux, we should try to avoid making /proc/self/{mem,maps}
+	 * available to the user so that sftp access doesn't automatically
+	 * imply arbitrary code execution access that will break
+	 * restricted configurations.
+	 */
+	if (prctl(PR_SET_DUMPABLE, 0) != 0)
+		fatal("unable to make the process undumpable");
+#endif
+
 	if ((cp = getenv("SSH_CONNECTION")) != NULL) {
 		client_addr = xstrdup(cp);
 		if ((cp = strchr(client_addr, ' ')) == NULL) {