[Bug 2833] The code in opennsd-compat/port-solaris.c should not change PRIV_LIMIT when PRIV_XPOLICY is set.

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Feb 24 10:47:56 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2833

ron.jordan at oracle.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |patch

--- Comment #1 from ron.jordan at oracle.com ---
This issue will immediately be addressed in Solaris 11 by Oracle via a
patch.  This patch is being offered for inclusion upstream: 

diff -ur orig/openbsd-compat/port-solaris.c
new/openbsd-compat/port-solaris.c
--- orig/openbsd-compat/port-solaris.c  Tue Feb  6 08:22:44 2018
+++ new/openbsd-compat/port-solaris.c   Tue Feb  6 08:45:21 2018
@@ -306,6 +306,31 @@
            priv_delset(npset, PRIV_PROC_SESSION) != 0)
                fatal("priv_delset: %s", strerror(errno));

+#ifdef PRIV_XPOLICY
+       /*
+        * It is possible that the user has an extended policy
+        * in place; the LIMIT set restricts the extended policy
+        * and so should not be restricted.
+        * PRIV_XPOLICY is newly defined in Solaris 11 though the
extended
+        * policy was not implemented until Solaris 11.1.
+        */
+       if (getpflags(PRIV_XPOLICY) == 1) {
+               if (getppriv(PRIV_LIMIT, pset) != 0)
+                       fatal("getppriv: %s", strerror(errno));
+
+               priv_intersect(pset, npset);
+
+               if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
+                       fatal("setppriv: %s", strerror(errno));
+       } else
+#endif
+       {
+               /* Cannot exec, so we can kill the limit set. */
+               priv_emptyset(pset);
+               if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
+                       fatal("setppriv: %s", strerror(errno));
+       }
+
        if (getppriv(PRIV_PERMITTED, pset) != 0)
                fatal("getppriv: %s", strerror(errno));

@@ -312,7 +337,6 @@
        priv_intersect(pset, npset);

        if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
-           setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
            setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
                fatal("setppriv: %s", strerror(errno));

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list