On Tue, 10 Mar 2015, Damien Miller wrote:> On Fri, 6 Mar 2015, Damien Miller wrote: > >> On Wed, 4 Mar 2015, mikep at noc.utoronto.ca wrote: >> >>> Re-testing 'openssh-SNAP-20150305' on Solaris 10, with 'gcc': >>> >>> Configure, 'make' complete; 'make tests' fails at: >>> >>> postcondition check failed: setstat readonly >> >> I couldn't reporoduce this on an illumos zone that I had access to, >> will try installing solaris10 next. > > I've been unable to get Solaris 10 working in a VM. Could you please > apply the below patch and run: > > make tests LTESTS=sftp-perm SKIP_UNIT=1 > > and report the last 20 or so lines of output? (I'm mostly interested in those > prefixed with 'XXX')/opt/local/src/security/openssh/ssh-keygen -lf /opt/local/src/security/openssh/regress//t10.out > /dev/null /opt/local/src/security/openssh/ssh-keygen -Bf /opt/local/src/security/openssh/regress//t10.out > /dev/null /opt/local/src/security/openssh/ssh-keygen -E sha256 -lf /opt/local/src/security/openssh/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /opt/local/src/security/openssh/regress/t11.ok /opt/local/src/security/openssh/ssh-keygen -lf /opt/local/src/security/openssh/regress//t12.out.pub | grep -q test-comment-1234 run test sftp-perm.sh ... YYY sftp permissions: read-only setstat XXX PRE RW: -r-------- 1 root 0 Mar 11 17:48 /opt/local/src/security/openssh/regress/copy XXX POST RW: -rwx------ 1 root 0 Mar 11 17:48 /opt/local/src/security/openssh/regress/copy XXX PRE RO: -r-------- 1 root 0 Mar 11 17:48 /opt/local/src/security/openssh/regress/copy XXX POST RO: -r-------- 1 root 0 Mar 11 17:48 /opt/local/src/security/openssh/regress/copy postcondition check failed: setstat readonly FATAL: XXX make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/opt/local/src/security/openssh/regress' make: *** [tests] Error 2> diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh > index 304ca0a..9a3740e 100644 > --- a/regress/sftp-perm.sh > +++ b/regress/sftp-perm.sh > @@ -41,13 +41,17 @@ ro_test() { > verbose "$tid: read-only $_desc" > # Plain (no options, mostly to test that _cmd is good) > prepare_files "$_prep" > + printf "XXX PRE RW: " ; ls -l $COPY > prepare_server > run_client "$_cmd" || fail "plain $_desc failed" > + printf "XXX POST RW: " ; ls -l $COPY > postcondition "$_desc no-readonly" "$_expect_success_post" > # Read-only enabled > prepare_files "$_prep" > + printf "XXX PRE RO: " ; ls -l $COPY > prepare_server -R > run_client "$_cmd" && fail "read-only $_desc succeeded" > + printf "XXX POST RO: " ; ls -l $COPY > postcondition "$_desc readonly" "$_expect_fail_post" > } > > @@ -80,20 +84,22 @@ perm_test() { > run_client "$_cmd" && fail "no whitelist $_op succeeded" > postcondition "$_op not in whitelist" "$_expect_fail_post" > } > - > +if false ; then > ro_test \ > "upload" \ > "put $DATA $COPY" \ > "" \ > "cmp $DATA $COPY" \ > "test ! -f $COPY" > - > +fi > +echo YYY > ro_test \ > "setstat" \ > "chmod 0700 $COPY" \ > "touch $COPY; chmod 0400 $COPY" \ > "test -x $COPY" \ > "test ! -x $COPY" > +fatal XXX > > ro_test \ > "rm" \Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620
On Wed, 11 Mar 2015, mikep at noc.utoronto.ca wrote:> sftp permissions: read-only setstat > XXX PRE RW: -r-------- 1 root 0 Mar 11 17:48 > /opt/local/src/security/openssh/regress/copy > XXX POST RW: -rwx------ 1 root 0 Mar 11 17:48 > /opt/local/src/security/openssh/regress/copy > XXX PRE RO: -r-------- 1 root 0 Mar 11 17:48 > /opt/local/src/security/openssh/regress/copy > XXX POST RO: -r-------- 1 root 0 Mar 11 17:48Thanks. It looks like sftp-server is behaving correctly but the test logic isn't. Specifically, it seems 'test ! -x $COPY' is returning false even though $COPY is not executable. I've not seen Solaris' test behave like this before, so I'm not sure what is going on here... -d
On Thu, 12 Mar 2015, Damien Miller wrote:> On Wed, 11 Mar 2015, mikep at noc.utoronto.ca wrote: > >> sftp permissions: read-only setstat >> XXX PRE RW: -r-------- 1 root 0 Mar 11 17:48 >> /opt/local/src/security/openssh/regress/copy >> XXX POST RW: -rwx------ 1 root 0 Mar 11 17:48 >> /opt/local/src/security/openssh/regress/copy >> XXX PRE RO: -r-------- 1 root 0 Mar 11 17:48 >> /opt/local/src/security/openssh/regress/copy >> XXX POST RO: -r-------- 1 root 0 Mar 11 17:48 > > Thanks. It looks like sftp-server is behaving correctly but the test > logic isn't. Specifically, it seems 'test ! -x $COPY' is returning > false even though $COPY is not executable. > > I've not seen Solaris' test behave like this before, so I'm not sure > what is going on here...I had the same issue with OpenSSH 6.7, which was never resolved; we do have '/usr/ucb' on our paths, but I renamed '/usr/ucb/test' to '/usr/ucb/test.sav' many years ago as it messed up other builds/installs. Any other tests/checks I can run?> -dMike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620
On Thu, 12 Mar 2015, Carson Gaspar wrote:> On 3/12/15 9:37 AM, mikep at noc.utoronto.ca wrote: > >> I had the same issue with OpenSSH 6.7, which was never resolved; we do >> have '/usr/ucb' on our paths, but I renamed '/usr/ucb/test' to >> '/usr/ucb/test.sav' many years ago as it messed up other builds/installs. >> >> Any other tests/checks I can run? > > Try with SHELL=TEST_SHELL=/bin/bashTried with: make SHELL=/bin/sh TEST_SHELL=/bin/sh tests LTESTS=sftp-perm SKIP_UNIT=1 make SHELL=/bin/bash TEST_SHELL=/bin/bash tests LTESTS=sftp-perm SKIP_UNIT=1 make SHELL=/bin/ksh TEST_SHELL=/bin/ksh tests LTESTS=sftp-perm SKIP_UNIT=1 All fail at the same point, although the '/bin/sh' fails with: run test sftp-perm.sh ... /opt/local/src/security/openssh/regress/test-exec.sh: test: unknown operator -nt make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/opt/local/src/security/openssh/regress' make: *** [tests] Error 2 instead of: run test sftp-perm.sh ... YYY sftp permissions: read-only setstat XXX PRE RW: -r-------- 1 root 0 Mar 12 16:29 /opt/local/src/security/openssh/regress/copy XXX POST RW: -rwx------ 1 root 0 Mar 12 16:29 /opt/local/src/security/openssh/regress/copy XXX PRE RO: -r-------- 1 root 0 Mar 12 16:29 /opt/local/src/security/openssh/regress/copy XXX POST RO: -r-------- 1 root 0 Mar 12 16:29 /opt/local/src/security/openssh/regress/copy postcondition check failed: setstat readonly FATAL: XXX make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/opt/local/src/security/openssh/regress' make: *** [tests] Error 2 Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620
On Thu, 12 Mar 2015, mikep at noc.utoronto.ca wrote:> On Thu, 12 Mar 2015, Carson Gaspar wrote: > > > On 3/12/15 9:37 AM, mikep at noc.utoronto.ca wrote: > > > > > I had the same issue with OpenSSH 6.7, which was never resolved; we do > > > have '/usr/ucb' on our paths, but I renamed '/usr/ucb/test' to > > > '/usr/ucb/test.sav' many years ago as it messed up other builds/installs. > > > > > > Any other tests/checks I can run? > > > > Try with SHELL=TEST_SHELL=/bin/bash > > Tried with: > > make SHELL=/bin/sh TEST_SHELL=/bin/sh tests LTESTS=sftp-perm SKIP_UNIT=1 > make SHELL=/bin/bash TEST_SHELL=/bin/bash tests LTESTS=sftp-perm SKIP_UNIT=1 > make SHELL=/bin/ksh TEST_SHELL=/bin/ksh tests LTESTS=sftp-perm SKIP_UNIT=1 > > All fail at the same point, although the '/bin/sh' fails with:If you are running with they patch then they will definitely all fail because the testing patch I sent you adds a "fatal XXX" to prevent extraneous output from being shown. You should revert it before testing. -d