From f7e4f05c3dd83072bba3e6a26ed9933fcc2f3d73 Mon Sep 17 00:00:00 2001 From: Jay Wren Date: Thu, 12 Mar 2026 15:13:22 -0400 Subject: [PATCH] update default and example --- examples/config.yml | 6 ++++++ ssh.go | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/examples/config.yml b/examples/config.yml index 1f9dc2a4..1d431085 100644 --- a/examples/config.yml +++ b/examples/config.yml @@ -204,6 +204,12 @@ punchy: # Trusted SSH CA public keys. These are the public keys of the CAs that are allowed to sign SSH keys for access. #trusted_cas: #- "ssh public key string" + # sandbox_dir restricts file paths for profiling commands (start-cpu-profile, save-heap-profile, + # save-mutex-profile) to the specified directory. Relative paths will be resolved within this directory, + # and absolute paths outside of it will be rejected. Default is /var/tmp/nebula-debug. + # The directory is NOT automatically created. + # Overriding this to "" is the same as "/" and will allow overwriting any path on the host. + #sandbox_dir: /var/tmp/nebula-debug # EXPERIMENTAL: relay support for networks that can't establish direct connections. relay: diff --git a/ssh.go b/ssh.go index 82fedcd1..eb616c02 100644 --- a/ssh.go +++ b/ssh.go @@ -189,7 +189,10 @@ func configSSH(l *logrus.Logger, ssh *sshd.SSHServer, c *config.C) (func(), erro } func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Interface) { - sandboxDir := c.GetString("sshd.sandbox_dir", "") + // sandboxDir defaults to a dir in temp. The intention is that end user will + // create this dir as needed. Overriding this config value to "" allows + // writing to anywhere in the system. + sandboxDir := c.GetString("sshd.sandbox_dir", "/var/tmp/nebula-debug") ssh.RegisterCommand(&sshd.Command{ Name: "list-hostmap",