Your message dated Sat, 24 Dec 2016 13:50:21 +0000 with message-id <20161224135021.GJ20455@riva.ucam.org> and subject line Re: Bug#742486: the sshd sanbox complains about socketcall(2) has caused the Debian Bug report #742486, regarding the sshd sandbox complains about socketcall(2) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 742486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742486 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: the sshd sanbox complains about socketcall(2)
- From: Marco d'Itri <md@linux.it>
- Date: Mon, 24 Mar 2014 07:40:15 +0100
- Message-id: <20140324064015.GA19266@bongo.bofh.it>
Package: openssh-server Version: 1:6.5p1-6 Severity: normal If I use "UsePrivilegeSeparation sandbox" then this is logged every time a login attempt fails: Mar 21 04:59:34 bongo kernel: [1746352.182111] type=1326 audit(1395374374.299:1020): auid=4294967295 uid=103 gid=65534 ses=4294967295 pid=17813 comm="sshd" sig=31 syscall=102 compat=1 ip=0xf7637430 code=0x0 #define __NR_socketcall 102 I do not think that socketcall(2) should be permitted since it would allow an attacker who took control of the process to create new sockets, but maybe sshd could be fixed to not use it (is it for logging?). -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.6 ii init-system-helpers 1.18 ii libc6 2.18-4 ii libcomerr2 1.42.9-3 ii libgssapi-krb5-2 1.12.1+dfsg-1 ii libkrb5-3 1.12.1+dfsg-1 ii libpam-modules 1.1.8-2 ii libpam-runtime 1.1.8-2 ii libpam0g 1.1.8-2 ii libselinux1 2.2.2-1 ii libssl1.0.0 1.0.1f-1 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian12 ii openssh-client 1:6.5p1-6 ii openssh-sftp-server 1:6.5p1-6 ii procps 1:3.3.9-4 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages openssh-server recommends: pn ncurses-term <none> ii xauth 1:1.0.7-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- debconf information excluded -- ciao, MarcoAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 742486-done@bugs.debian.org
- Subject: Re: Bug#742486: the sshd sanbox complains about socketcall(2)
- From: Colin Watson <cjwatson@debian.org>
- Date: Sat, 24 Dec 2016 13:50:21 +0000
- Message-id: <20161224135021.GJ20455@riva.ucam.org>
- In-reply-to: <20140324064015.GA19266@bongo.bofh.it>
- References: <20140324064015.GA19266@bongo.bofh.it>
Source: openssh Source-Version: 1:6.9p1-1 On Mon, Mar 24, 2014 at 07:40:15AM +0100, Marco d'Itri wrote: > If I use "UsePrivilegeSeparation sandbox" then this is logged every time a > login attempt fails: > > Mar 21 04:59:34 bongo kernel: [1746352.182111] type=1326 audit(1395374374.299:1020): auid=4294967295 uid=103 gid=65534 ses=4294967295 pid=17813 comm="sshd" sig=31 syscall=102 compat=1 ip=0xf7637430 code=0x0 > > #define __NR_socketcall 102 > > I do not think that socketcall(2) should be permitted since it would > allow an attacker who took control of the process to create new sockets, > but maybe sshd could be fixed to not use it (is it for logging?). I believe it's for shutdown(2). sshd was fixed to allow socketcall(2) with just this first argument in 6.9p1. Thanks, -- Colin Watson [cjwatson@debian.org]
--- End Message ---