@ng0 openssh implements several sandbox system (depending the targeted system).
for Linux, one is based on seccomp (https://anongit.mindrot.org/openssh.git/tree/sandbox-seccomp-filter.c) and another based on setrlimit(2) (https://anongit.mindrot.org/openssh.git/tree/sandbox-rlimit.c). but it isn't a full pledge(2) equivalent, only a way to create the sandbox openssh needed for its own purpose.
Another shoutout for upobsd by @semarie.
Allows automatic upgrades and installs for #OpenBSD.
My serial console server is CompactFlash based and is (for obvious reasons) the one I cannot watch remotely. I usually have a long wait for upgrades since the CF is so slow.
Yesterday I used upobsd to do the main upgrade part unattended. It was *lovely*.
It's a package for 6.3. You can use it on a 6.3 box to make your bsd.rd and copy it to the 6.2 server in question.
why properly documenting API is hard or "a new candidate for worstly-designed trivial API: SSL_CIPHER_description(3)"
if you like one of them, you could like others (aka self-promoting of tools for OpenBSD - all available in ports):
- sysclean : list obsolete files between OpenBSD upgrades (aka delete old stuff between upgrades)
- checkrestart : help to find processes that need restarting after upgrade (aka which service to restart after pkg_add -u)
- upobsd : download, verify and patch bsd.rd image (aka upgrading the system without hands)