On 2015-06-07 1:45 PM, aixtools wrote:
On 2015-06-03 2:43 AM, Ron Frederick wrote:
On Jun 2, 2015, at 4:46 PM, Damien Miller<djm@xxxxxxxxxxx> wrote:
On Tue, 2 Jun 2015, Ron Frederick wrote:
The privsep chroot path is specified at build time (./configure
--with-privsep-path if you want to change it).
Ok, thanks. I?ve re-run the tests on Linux with --sysconfdir=/etc/ssh
--with-privsep-path=/var/run, and I no longer see either of the issues
mentioned above. With the above config option, all tests passed for me
on Ubuntu 14.04.2 LTS.
You should use /var/run/sshd on Ubuntu. Don't use a directory with
other
stuff in it.
I added --with-privsep-path=/var/run/sshd (as non-root) and when I ran
"make tests" it aborted when /var/run did not exist - but ran normally
when /var/run (only exists). but is not writeable by the non-root user
(i.e., cannot mkdir /var/run/sshd either - so why die when /var/run is
not there?)
root@x064:[/]ls -ld /var/run
drwxr-xr-x 2 root system 256 Jun 7 11:31 /var/run
root@x064:[/]ls -l /var/run
total 0
Shall I add a feature request - to have these tests ALSO run as root,
and privsep is tested as downgrading from root, rather than SUDO up to root.
And, if someone will be willing to assist me with how to integrate some
tests I would work on some tests for AIX using AIX's version of RBAC for
privelidge control. (FYI, I will be researching what sshd actually needs
to be run without 'root' as a kickstart - and, in all honesty, am hoping
there is some interest to see configuration example and tests in
openssh-portable)
And the message above (about make tests stopping when /var/run does not
exist) - looks like I forgot reply to all the first time, sigh.
Ok, thanks. I didn’t actually do an install with those parameters. I
was just using them to get around the “/var/empty” error that I got
in my previous run, but I’ll keep this in mind if I upgrade OpenSSH
myself on that system.
Done. This is now filed as bz#2407. No hurry on this one, as the code
still runs fine at the moment and passes all the tests. I just thought
I’d report it to avoid future problems if those APIs are ever removed.
Most of those are due to Apple soft-deprecating the OpenSSL libcrypto
API as a supported interface. If they ever fully deprecate it, we'll
ask users to build OpenSSH against an independent installation of
libcrypto.
I see. Do you know if there is any way to add something to the
Makefile to suppress the warnings in the meantime?
One of the other items I called out in the bug that wasn’t a
deprecation was around the assignment of ssh1_3des_cdc to a
“do_cipher” function pointer. It looks like the issue there is that
ssh1_3des_cbc is declared to take a “size_t” as its last argument,
where the do_cipher function pointer is expecting an “unsigned int”.
It looks like other instances of functions assigned to do_cipher use
the type LIBCRYPTO_EVP_INL_TYPE as the type of this argument, but for
some reason this wasn’t done in the ssh1 3des case. This looks like
it would be an easy fix, though.
The last issue was clang not liking the “-pie” switch on compilations.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
