? lib/obj
? scp/obj
? sftp/obj
? sftp-server/obj
? ssh/obj
? ssh-add/obj
? ssh-agent/obj
? ssh-keygen/obj
? ssh-keyscan/obj
? ssh-keysign/obj
? ssh-pkcs11-helper/obj
? sshd/obj
Index: clientloop.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
retrieving revision 1.284
diff -u -p -r1.284 clientloop.c
--- clientloop.c 8 Feb 2016 10:57:07 -0000 1.284
+++ clientloop.c 25 Feb 2016 05:35:28 -0000
@@ -1497,6 +1497,7 @@ client_loop(int have_pty, int escape_cha
debug("Entering interactive session.");
+#if 0
if (options.control_master &&
! option_clear_or_none(options.control_path)) {
debug("pledge: id");
@@ -1526,7 +1527,7 @@ client_loop(int have_pty, int escape_cha
if (pledge("stdio unix inet dns tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
}
-
+#endif
start_time = get_current_time();
/* Initialize variables. */
Index: mux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/mux.c,v
retrieving revision 1.58
diff -u -p -r1.58 mux.c
--- mux.c 13 Jan 2016 23:04:47 -0000 1.58
+++ mux.c 25 Feb 2016 05:35:29 -0000
@@ -1872,8 +1872,10 @@ mux_client_request_session(int fd)
}
muxclient_request_id++;
+#if 0
if (pledge("stdio proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
+#endif
signal(SIGHUP, control_client_sighandler);
signal(SIGINT, control_client_sighandler);
@@ -1982,8 +1984,10 @@ mux_client_request_stdio_fwd(int fd)
mm_send_fd(fd, STDOUT_FILENO) == -1)
fatal("%s: send fds failed", __func__);
+#if 0
if (pledge("stdio proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
+#endif
debug3("%s: stdio forward request sent", __func__);
Index: scp.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/scp.c,v
retrieving revision 1.184
diff -u -p -r1.184 scp.c
--- scp.c 27 Nov 2015 00:49:31 -0000 1.184
+++ scp.c 25 Feb 2016 05:35:30 -0000
@@ -463,6 +463,7 @@ main(int argc, char **argv)
if (!isatty(STDOUT_FILENO))
showprogress = 0;
+#if 0
if (pflag) {
/* Cannot pledge: -p allows setuid/setgid files... */
} else {
@@ -472,6 +473,7 @@ main(int argc, char **argv)
exit(1);
}
}
+#endif
remin = STDIN_FILENO;
remout = STDOUT_FILENO;
Index: ssh-agent.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
retrieving revision 1.212
diff -u -p -r1.212 ssh-agent.c
--- ssh-agent.c 15 Feb 2016 09:47:49 -0000 1.212
+++ ssh-agent.c 25 Feb 2016 05:35:30 -0000
@@ -1385,8 +1385,10 @@ skip:
signal(SIGTERM, cleanup_handler);
nalloc = 0;
+#if 0
if (pledge("stdio cpath unix id proc exec", NULL) == -1)
fatal("%s: pledge: %s", __progname, strerror(errno));
+#endif
while (1) {
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
Index: ssh-keysign.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v
retrieving revision 1.52
diff -u -p -r1.52 ssh-keysign.c
--- ssh-keysign.c 15 Feb 2016 09:47:49 -0000 1.52
+++ ssh-keysign.c 25 Feb 2016 05:35:30 -0000
@@ -170,8 +170,10 @@ main(int argc, char **argv)
size_t slen, dlen;
ssh_malloc_init(); /* must be called before any mallocs */
+#if 0
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
+#endif
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@@ -233,8 +235,10 @@ main(int argc, char **argv)
if (!found)
fatal("no hostkey found");
+#if 0
if (pledge("stdio dns", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
+#endif
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __progname);
Index: sshd/Makefile
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd/Makefile,v
retrieving revision 1.88
diff -u -p -r1.88 Makefile
--- sshd/Makefile 14 Jan 2016 16:17:40 -0000 1.88
+++ sshd/Makefile 25 Feb 2016 05:35:30 -0000
@@ -17,7 +17,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
sftp-server.c sftp-common.c \
- sandbox-pledge.c
+ sandbox-systrace.c
.if (${SSH1:L} == "yes")
SRCS+= auth-rsa.c auth-rh-rsa.c auth1.c