Re: Call for testing: OpenSSH 7.2

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Feb 17, 2016 at 05:43:21PM -0800, Carson Gaspar wrote:
> On 2/17/16 3:02 PM, Carson Gaspar wrote:
> >
> >Sadly I'm hitting a different autoconf bug :-(
> 
> I was being an idiot - configure was bombing out & I didn't notice (boy that
> openssl version error message is loooooong...)
> 
> With Mr. Wilson's patch, I still get:

Damien posted the (probable) fix for this a while upthread.

I've rolled it into the WIP patch from Alex Wilson.  I think this should
fix both.

diff --git a/configure.ac b/configure.ac
index b4c0aaa..e36b049 100644
--- a/configure.ac
+++ b/configure.ac
@@ -896,11 +896,9 @@ mips-sony-bsd|mips-sony-newsos4)
 	else
 		AC_MSG_RESULT([no])
 	fi
-	AC_CHECK_FUNC([setppriv],
-		[ AC_CHECK_HEADERS([priv.h], [
-			SOLARIS_PRIVS="yes"
-		])
-	])
+	AC_CHECK_FUNCS([setppriv])
+	AC_CHECK_FUNCS([priv_basicset])
+	AC_CHECK_HEADERS([priv.h])
 	AC_ARG_WITH([solaris-contracts],
 		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
 		[
@@ -925,7 +923,9 @@ mips-sony-bsd|mips-sony-newsos4)
 		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
 		[
 		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
-		if test "x$SOLARIS_PRIVS" = "xyes" ; then
+		if test "x$ac_cv_func_setppriv" = "xyes" -a \
+			"x$ac_cv_header_priv_h" = "xyes" ; then
+			SOLARIS_PRIVS=yes
 			AC_MSG_RESULT([found])
 			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
 				[Define to disable UID restoration test])
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 962cd16..e36e412 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -233,6 +233,26 @@ solaris_set_default_project(struct passwd *pw)
 #  include <priv.h>
 # endif
 
+priv_set_t *
+solaris_basic_privset(void)
+{
+	priv_set_t *pset;
+
+#ifdef HAVE_PRIV_BASICSET
+	if ((pset = priv_allocset()) == NULL) {
+		error("priv_allocset: %s", strerror(errno));
+		return NULL;
+	}
+	priv_basicset(pset);
+#else
+	if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) {
+		error("priv_str_to_set: %s", strerror(errno));
+		return NULL;
+	}
+#endif
+	return pset;
+}
+
 void
 solaris_drop_privs_pinfo_net_fork_exec(void)
 {
@@ -254,11 +274,10 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
 	 * etc etc).
 	 */
 
-	if ((pset = priv_allocset()) == NULL ||
-	    (npset = priv_allocset()) == NULL)
+	if ((pset = priv_allocset()) == NULL)
 		fatal("priv_allocset: %s", strerror(errno));
-
-	priv_basicset(npset);
+	if ((npset = solaris_basic_privset()) == NULL)
+		fatal("solaris_basic_privset: %s", strerror(errno));
 
 	if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 ||
 	    priv_addset(npset, PRIV_FILE_DAC_READ) != 0 ||
@@ -268,7 +287,9 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
 		fatal("priv_addset: %s", strerror(errno));
 
 	if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
 	    priv_delset(npset, PRIV_NET_ACCESS) != 0 ||
+#endif
 	    priv_delset(npset, PRIV_PROC_EXEC) != 0 ||
 	    priv_delset(npset, PRIV_PROC_FORK) != 0 ||
 	    priv_delset(npset, PRIV_PROC_INFO) != 0 ||
@@ -294,14 +315,14 @@ solaris_drop_privs_root_pinfo_net(void)
 {
 	priv_set_t *pset = NULL;
 
-	if ((pset = priv_allocset()) == NULL)
-		fatal("priv_allocset: %s", strerror(errno));
-
 	/* Start with "basic" and drop everything we don't need. */
-	priv_basicset(pset);
+	if ((pset = solaris_basic_privset()) == NULL)
+		fatal("solaris_basic_privset: %s", strerror(errno));
 
 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
 		fatal("priv_delset: %s", strerror(errno));
@@ -319,14 +340,15 @@ solaris_drop_privs_root_pinfo_net_exec(void)
 {
 	priv_set_t *pset = NULL;
 
-	if ((pset = priv_allocset()) == NULL)
-		fatal("priv_allocset: %s", strerror(errno));
 
 	/* Start with "basic" and drop everything we don't need. */
-	priv_basicset(pset);
+	if ((pset = solaris_basic_privset()) == NULL)
+		fatal("solaris_basic_privset: %s", strerror(errno));
 
 	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
 	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
+#endif
 	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
 	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
 	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
index b077e18..3a41ea8 100644
--- a/openbsd-compat/port-solaris.h
+++ b/openbsd-compat/port-solaris.h
@@ -26,8 +26,11 @@ void solaris_contract_pre_fork(void);
 void solaris_contract_post_fork_child(void);
 void solaris_contract_post_fork_parent(pid_t pid);
 void solaris_set_default_project(struct passwd *);
+# ifdef USE_SOLARIS_PRIVS
+priv_set_t *solaris_basic_privset(void);
 void solaris_drop_privs_pinfo_net_fork_exec(void);
 void solaris_drop_privs_root_pinfo_net(void);
 void solaris_drop_privs_root_pinfo_net_exec(void);
+# endif /* USE_SOLARIS_PRIVS */
 
 #endif
diff --git a/sandbox-solaris.c b/sandbox-solaris.c
index 98714e1..343a010 100644
--- a/sandbox-solaris.c
+++ b/sandbox-solaris.c
@@ -48,19 +48,20 @@ ssh_sandbox_init(struct monitor *monitor)
 	struct ssh_sandbox *box = NULL;
 
 	box = xcalloc(1, sizeof(*box));
-	box->pset = priv_allocset();
+
+	/* Start with "basic" and drop everything we don't need. */
+	box->pset = solaris_basic_privset();
 
 	if (box->pset == NULL) {
 		free(box);
 		return NULL;
 	}
 
-	/* Start with "basic" and drop everything we don't need. */
-	priv_basicset(box->pset);
-
 	/* Drop everything except the ability to use already-opened files */
 	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
+#ifdef PRIV_NET_ACCESS
 	    priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
+#endif
 	    priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
 	    priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
 	    priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux