bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 04:54 UTC
[Bug 1423] New: Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Summary: Service ACL support for ssh on Mac OS X.
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: Other
OS/Version: Mac OS X
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: vgiffin at apple.com
Created an attachment (id=1420)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1420)
SACL support for sshd on Mac OS X.
Attached is a patch for building OpenSSH 4.7p1 on Mac OS X.
This patch adds SACL support to ssh for Mac OS X.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 13:49 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-12-22
00:49:54 ---
I have no objection to adding support for this, but I think we would
prefer not to add any (more) platform specific config options. Could
it be enabled unconditionally?
Regarding the patch, adding the code into the mainline means it will be
an ongoing maintenance hassle. A preferable way to do it would be to
use the existing sys_auth_allowed_user() hook (see
openbsd-compat/port-aix.c for an example).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 22:08 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423 --- Comment #2 from Disco Vince Giffin <vgiffin at apple.com> 2007-12-22 09:08:01 --- (In reply to comment #1)> I have no objection to adding support for this?Thank you> ?I think we would > prefer not to add any (more) platform specific config options. Could > it be enabled unconditionally?Yes. This would not work for Panther (Mac OS X 10.3), but that's fine by me.> Regarding the patch, adding the code into the mainline means it will be > an ongoing maintenance hassle. A preferable way to do it would be to > use the existing sys_auth_allowed_user() hook (see > openbsd-compat/port-aix.c for an example).I will look into this. Thanks. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-22 13:30 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2007-12-23 00:30:41 --- (In reply to comment #2)> (In reply to comment #1) > > ?I think we would > > prefer not to add any (more) platform specific config options. Could > > it be enabled unconditionally? > > Yes. This would not work for Panther (Mac OS X 10.3), but that's fine > by me.Can the code be enabled based on the presence or not of mbr_check_service_membership() or similar? Or do those exist in the older versions too? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-29 00:03 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423 --- Comment #4 from Disco Vince Giffin <vgiffin at apple.com> 2007-12-29 11:03:21 --- (In reply to comment #3)> (In reply to comment #2) > > (In reply to comment #1) > > > ?I think we would > > > prefer not to add any (more) platform specific config options. Could > > > it be enabled unconditionally? > > > > Yes. This would not work for Panther (Mac OS X 10.3), but that's fine > > by me. > > Can the code be enabled based on the presence or not of > mbr_check_service_membership() or similar? Or do those exist in the > older versions too?Yes, checking for mbr_check_service_membership() should work just fine. No, mbr_check_service_membership() was introduced in Tiger (Mac OS X 10.4). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-14 03:43 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1481
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-21 05:43 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #5 from Damien Miller <djm at mindrot.org> 2009-01-21
16:43:12 ---
If you can get us a revised diff based on Darren's comments then we
should be able to include this in openssh-5.2.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-23 01:43 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Disco Vince Giffin <vgiffin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1420|0 |1
is obsolete| |
--- Comment #6 from Disco Vince Giffin <vgiffin at apple.com> 2009-01-23
12:43:36 ---
Created an attachment (id=1598)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1598)
Updated patch to check for mbr_check_service_membership() for SACL
support.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-01 22:34 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423 --- Comment #7 from Damien Miller <djm at mindrot.org> 2009-02-02 09:34:44 --- I think what Darren meant was to remove the SACLSupport option and always enable SACL support if the OS supports it. Would this work? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-02 17:51 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423 --- Comment #8 from Disco Vince Giffin <vgiffin at apple.com> 2009-02-03 04:51:57 --- (In reply to comment #7)> I think what Darren meant was to remove the SACLSupport option and > always enable SACL support if the OS supports it. Would this work?No. It's likely that we'll be switching to enforcing SACLs via a PAM module. So, we'd probably prefer this patch not being taken at all over being on-by-default. Sorry for the trouble. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-02 23:48 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #9 from Damien Miller <djm at mindrot.org> 2009-02-03
10:48:24 ---
Thanks, closing this bug then.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-23 02:35 UTC
[Bug 1423] Service ACL support for ssh on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1423
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #10 from Damien Miller <djm at mindrot.org> 2009-02-23
13:35:45 ---
Close bugs fixed/reviewed for openssh-5.2 release
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1419] New: Fix PTY handling on Mac OS X
- [Bug 1412] New: Support for users in more than 16 groups on Mac OS X.
- [Bug 1420] New: BSM support on Mac OS X
- [Bug 1415] New: Mac OS X has some changes to the default PAM settings.
- [Bug 1416] New: Enable GSSAPI by default on Mac OS X