https://bugzilla.mindrot.org/show_bug.cgi?id=2511
--- Comment #1 from Damien Miller <[email protected]> --- Comment on attachment 2761 --> https://bugzilla.mindrot.org/attachment.cgi?id=2761 patch >--- a/configure.ac >+++ b/configure.ac ... >+ AC_ARG_WITH([solaris-privs], >+ [ --with-solaris-privs Enable Solaris/Illumos privileges >(experimental)], >+ [ >+ AC_CHECK_FUNC([setppriv], >+ [ AC_CHECK_HEADERS([priv.h]) Should the following two AC_DEFINEs be conditional on priv.h being found? >+ AC_DEFINE([NO_UID_RESTORATION_TEST], [1], >+ [Define to disable UID restoration test]) >+ AC_DEFINE([USE_SOLARIS_PRIVS], [1], >+ [Define if you have Solaris privileges]) >+ SP_MSG="yes" ], ) SP_MSG is for "Solaris project support" - did you intend to provide a message in the configure summary section? If so, you should use a different variable. >+elif test "x$sandbox_arg" = "xsolaris" || \ >+ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setppriv" = "xyes" ) ; then >+ test "x$ac_cv_func_setppriv" != "xyes" && \ Rather than repeating the tests in the above block, it's probably more robust to set a shell variable there and test it here. E.g. elif test "x$sandbox_arg" = "xsolaris" || test "x$SOLARIS_PRIVS" = "xyes" >--- a/openbsd-compat/port-solaris.c >+++ b/openbsd-compat/port-solaris.c >+void >+solaris_drop_fork_privs(void) >+{ >+ priv_set_t *pset = NULL; >+ >+ if ((pset = priv_allocset()) == NULL) >+ fatal("priv_allocset: %s", strerror(errno)); >+ >+ /* Start with "basic" and drop everything we don't need. */ >+ priv_basicset(pset); >+ >+ priv_delset(pset, PRIV_PROC_EXEC); >+ priv_delset(pset, PRIV_PROC_FORK); >+ priv_delset(pset, PRIV_FILE_LINK_ANY); >+ priv_delset(pset, PRIV_PROC_INFO); >+ priv_delset(pset, PRIV_PROC_SESSION); These calls should be checked for failure. >+ if (setppriv(PRIV_SET, PRIV_PERMITTED, pset)) >+ fatal("setppriv: %s", strerror(errno)); >+ if (setppriv(PRIV_SET, PRIV_LIMIT, pset)) >+ fatal("setppriv: %s", strerror(errno)); >+ if (setppriv(PRIV_SET, PRIV_INHERITABLE, pset)) >+ fatal("setppriv: %s", strerror(errno)); Coalesce these calls? I.e. if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) fatal("setppriv: %s", strerror(errno)); same for solaris_drop_fork_net_privs() and the sandbox. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
