On Mon, 18 Jun 2018, Wenyi Cheng wrote: > Hi openssh-unix-dev, > > I'm upgrading the openssh in our system from 6.6 to 7.6. The option > UsePrivilegeSeparation for sshd has been deprecated since 7.5. We used to > set it to yes but it's now sandbox by default. > > We are using futex which is not allowed with sandbox. So I have to manually > add the following code change to sandbox-seccomp-filter.c to make it work. > > > #ifdef __NR_futex > > SC_ALLOW(__NR_futex), > > #endif > > > Will this change cause any security issue? For the futex(2) syscall, probably not. Barring a kernel bug in the futex implementation itself, I don't think it likely that it would create a new vulnerability. It could be useful to an attacker who already has a vulnerability (esp a race condition) and is struggling to reliably exploit it though. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
