[Bug 2833] The code in opennsd-compat/port-solaris.c should not change PRIV_LIMIT when PRIV_XPOLICY is set.
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Feb 24 10:47:56 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2833
ron.jordan at oracle.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |patch
--- Comment #1 from ron.jordan at oracle.com ---
This issue will immediately be addressed in Solaris 11 by Oracle via a
patch. This patch is being offered for inclusion upstream:
diff -ur orig/openbsd-compat/port-solaris.c
new/openbsd-compat/port-solaris.c
--- orig/openbsd-compat/port-solaris.c Tue Feb 6 08:22:44 2018
+++ new/openbsd-compat/port-solaris.c Tue Feb 6 08:45:21 2018
@@ -306,6 +306,31 @@
priv_delset(npset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
+#ifdef PRIV_XPOLICY
+ /*
+ * It is possible that the user has an extended policy
+ * in place; the LIMIT set restricts the extended policy
+ * and so should not be restricted.
+ * PRIV_XPOLICY is newly defined in Solaris 11 though the
extended
+ * policy was not implemented until Solaris 11.1.
+ */
+ if (getpflags(PRIV_XPOLICY) == 1) {
+ if (getppriv(PRIV_LIMIT, pset) != 0)
+ fatal("getppriv: %s", strerror(errno));
+
+ priv_intersect(pset, npset);
+
+ if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+ } else
+#endif
+ {
+ /* Cannot exec, so we can kill the limit set. */
+ priv_emptyset(pset);
+ if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+ }
+
if (getppriv(PRIV_PERMITTED, pset) != 0)
fatal("getppriv: %s", strerror(errno));
@@ -312,7 +337,6 @@
priv_intersect(pset, npset);
if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
- setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
fatal("setppriv: %s", strerror(errno));
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list