1 files changed, 58 insertions, 0 deletions

diff --git a/Ports/openssh/patches/0007-Use-unveil-for-privsep.patch b/Ports/openssh/patches/0007-Use-unveil-for-privsep.patch
new file mode 100644
index 0000000000..e1070a3cf4
--- /dev/null
+++ b/Ports/openssh/patches/0007-Use-unveil-for-privsep.patch
@@ -0,0 +1,58 @@
+From ba3aaa65905f77e6e8bb812ca0ddcdba4f3c0eb3 Mon Sep 17 00:00:00 2001
+From: Patrick Meyer <git@the-space.agency>
+Date: Sat, 30 Apr 2022 10:58:10 +0000
+Subject: [PATCH 7/7] Use unveil for privsep
+
+---
+ sshd.c | 28 +++-------------------------
+ 1 file changed, 3 insertions(+), 25 deletions(-)
+
+diff --git a/sshd.c b/sshd.c
+index 0ee65b5..e2f84de 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -452,12 +452,9 @@ privsep_preauth_child(void)
+ 
+ 	/* Demote the child */
+ 	if (privsep_chroot) {
+-		/* Change our root directory */
+-		if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+-			fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+-			    strerror(errno));
+-		if (chdir("/") == -1)
+-			fatal("chdir(\"/\"): %s", strerror(errno));
++		/* Hide the whole filesystem */
++		if (unveil(NULL, NULL) < 0)
++			fatal("unveil(NULL, NULL): %s", strerror(errno));
+ 
+ 		/* Drop our privileges */
+ 		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+@@ -1952,25 +1949,6 @@ main(int ac, char **av)
+ 		    sshkey_type(key));
+ 	}
+ 
+-	if (privsep_chroot) {
+-		struct stat st;
+-
+-		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
+-		    (S_ISDIR(st.st_mode) == 0))
+-			fatal("Missing privilege separation directory: %s",
+-			    _PATH_PRIVSEP_CHROOT_DIR);
+-
+-#ifdef HAVE_CYGWIN
+-		if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
+-		    (st.st_uid != getuid () ||
+-		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+-#else
+-		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+-#endif
+-			fatal("%s must be owned by root and not group or "
+-			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+-	}
+-
+ 	if (test_flag > 1) {
+ 		/*
+ 		 * If no connection info was provided by -C then use
+-- 
+2.36.1
+