[Bug 2511] Drop fine-grained privileges on Illumos/Solaris

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Dec 14 10:46:26 AEDT 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2511

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2761
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2761
patch

>--- a/configure.ac
>+++ b/configure.ac
...
>+	AC_ARG_WITH([solaris-privs],
>+		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
>+		[
>+		AC_CHECK_FUNC([setppriv],
>+			[ AC_CHECK_HEADERS([priv.h])

Should the following two AC_DEFINEs be conditional on priv.h being
found?

>+			  AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
>+				[Define to disable UID restoration test])
>+			  AC_DEFINE([USE_SOLARIS_PRIVS], [1],
>+				[Define if you have Solaris privileges])
>+			SP_MSG="yes" ], )

SP_MSG is for "Solaris project support" - did you intend to provide a
message in the configure summary section? If so, you should use a
different variable.

>+elif test "x$sandbox_arg" = "xsolaris" || \
>+   ( test -z "$sandbox_arg" && test "x$ac_cv_func_setppriv" = "xyes" ) ; then
>+	test "x$ac_cv_func_setppriv" != "xyes" && \

Rather than repeating the tests in the above block, it's probably more
robust to set a shell variable there and test it here. E.g.

elif test "x$sandbox_arg" = "xsolaris" || test "x$SOLARIS_PRIVS" =
"xyes"

>--- a/openbsd-compat/port-solaris.c
>+++ b/openbsd-compat/port-solaris.c
>+void
>+solaris_drop_fork_privs(void)
>+{
>+	priv_set_t *pset = NULL;
>+
>+	if ((pset = priv_allocset()) == NULL)
>+		fatal("priv_allocset: %s", strerror(errno));
>+
>+	/* Start with "basic" and drop everything we don't need. */
>+	priv_basicset(pset);
>+
>+	priv_delset(pset, PRIV_PROC_EXEC);
>+	priv_delset(pset, PRIV_PROC_FORK);
>+	priv_delset(pset, PRIV_FILE_LINK_ANY);
>+	priv_delset(pset, PRIV_PROC_INFO);
>+	priv_delset(pset, PRIV_PROC_SESSION);

These calls should be checked for failure.

>+	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset))
>+		fatal("setppriv: %s", strerror(errno));
>+	if (setppriv(PRIV_SET, PRIV_LIMIT, pset))
>+		fatal("setppriv: %s", strerror(errno));
>+	if (setppriv(PRIV_SET, PRIV_INHERITABLE, pset))
>+		fatal("setppriv: %s", strerror(errno));

Coalesce these calls? I.e.

        if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
            setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
            setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
                fatal("setppriv: %s", strerror(errno));

same for solaris_drop_fork_net_privs() and the sandbox.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list