RE: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On February 9, 2016 8:05 PM, Darren Tucker wrote:
> To: Randall S. Becker <rsbecker@xxxxxxxxxxxxx>
> Cc: 'OpenSSH Devel List' <openssh-unix-dev@xxxxxxxxxxx>
> Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands
> 
> On Tue, Feb 09, 2016 at 07:46:45PM -0500, Randall S. Becker wrote:
> [...]
> > SUPERUSER ends up being 65535, which is root on this platform.
> > SUPER.SUPER is the actual name of root. /var and /var/run are both
> > 755, while /var/run/keycommand_SUPER.SUPER is 644.
> 
> OK, I think the ownership is the problem.

Confirmed.

> auth2-pubkey.c:subprocess() does this:
> 
> 	if (stat(av[0], &st) < 0)
> [...]
> 	if (auth_secure_path(av[0], &st, NULL, 0,
> 	    errmsg, sizeof(errmsg)) != 0) {
> 		error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
> 
> The 4th arg to auth_secure_path is the UID we expect the file to be owned
> by.
> 
> If you apply the following and compile with -DROOT_UID=65535 does it
> work?

Replacing 
 	if (auth_secure_path(av[0], &st, NULL, 0,
with
	if (auth_secure_path(av[0], &st, NULL, SUPERUSER,

Causes the keys-command test to pass! I would prefer this change to
introducing ROOT_UID as a duplicate since we already have SUPERUSER. What
I'm not sure about is whether SUPERUSER originated with a branch of ours or
not. To be investigated later. The original #define we had was in include.h
#define SUPERUSER 0, which we wrapped defining SUPERUSER 65535 on our
platform and it is used throughout. No real issue changing it to ROOT_UID if
we must .

> What does ./config.guess report the platform as?

>From config.status:
S["host_os"]="nsk"
S["host_vendor"]="tandem"
S["host_cpu"]="nse"
S["host"]="nse-tandem-nsk"
S["build_os"]="nsk"
S["build_vendor"]="tandem"
S["build_cpu"]="nse"
S["build"]="nse-tandem-nsk"

Cheers,
Randall

-- Brief whoami: NonStop&UNIX developer since approximately
UNIX(421664400)/NonStop(211288444200000000)
-- In my real life, I talk too much.



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux