[openssh-commits] [openssh] 05/05: Solaris: prefer PRIV_XPOLICY to PRIV_LIMIT
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Oct 12 13:22:11 AEDT 2023
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 281c79168edcc303abfd5bca983616eaa24c5f32
Author: Damien Miller <djm at mindrot.org>
Date: Thu Oct 12 13:20:01 2023 +1100
Solaris: prefer PRIV_XPOLICY to PRIV_LIMIT
If the system support PRIV_XPOLICY and one is set, then don't
modify PRIV_LIMIT. bz2833, patch from Ron Jordan, ok dtucker@
---
openbsd-compat/port-solaris.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
index 10c2d6b7..05aa1f76 100644
--- a/openbsd-compat/port-solaris.c
+++ b/openbsd-compat/port-solaris.c
@@ -292,13 +292,35 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
priv_delset(npset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
+#ifdef PRIV_XPOLICY
+ /*
+ * It is possible that the user has an extended policy
+ * in place; the LIMIT set restricts the extended policy
+ * and so should not be restricted.
+ * PRIV_XPOLICY is newly defined in Solaris 11 though the extended
+ * policy was not implemented until Solaris 11.1.
+ */
+ if (getpflags(PRIV_XPOLICY) == 1) {
+ if (getppriv(PRIV_LIMIT, pset) != 0)
+ fatal("getppriv: %s", strerror(errno));
+ priv_intersect(pset, npset);
+ if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+ } else
+#endif
+ {
+ /* Cannot exec, so we can kill the limit set. */
+ priv_emptyset(pset);
+ if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
+ fatal("setppriv: %s", strerror(errno));
+ }
+
if (getppriv(PRIV_PERMITTED, pset) != 0)
fatal("getppriv: %s", strerror(errno));
priv_intersect(pset, npset);
if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
- setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
fatal("setppriv: %s", strerror(errno));
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list