Created attachment 2827 [details] to make ssh-agent and sftp-server untraceable on Solaris For Linux, to prevent ptrace on ssh-agent and sftp-server, ssh-agent.c and sftp-server.c call prctl(PR_SET_DUMPABLE, 0). For Solaris, the equivalent implementation would be: setpflags(__PROC_PROTECT, 1); Attached is the patch to make ssh-agent and sftp-server untraceable on Solaris without using the sgid bit. We would like to contribute this patch to upstream, so that our code will be more in-sync with upstream version.
I'm ok with doing this however I think the code should be factored out of the mainline code and moved somewhere like platform.c.
Created attachment 2828 [details] Move prtctl into platform.c then add setpflags Could you please confirm that this works? Once we're happy with it I'll commit it as 2 parts (the move of existing and the addition of the new). Thanks.
Comment on attachment 2828 [details] Move prtctl into platform.c then add setpflags Thanks - I was going to suggest refactoring it this way :)
Applied, thanks. Please let us know if any further changes are required. https://anongit.mindrot.org/openssh.git/commit/?id=a86ec4d0737ac5879223e7cd9d68c448df46e169
That's all we need for this. Thank you very much for taking this in.
Close all resolved bugs after 7.3p1 release