I was involved with the issues building OpenSSH 7.2p1 to use the
Solaris sandbox, but I ended up dropping out of the discussion
due to being on the road for most of the last couple of weeks.
Anyway, the problems persist with OpenSSH 7.2p2 when building
with --with-sandbox=solaris. I found that there's an error in
openbsd-compat/port-solaris.h on line 30, because the type
priv_set_t hasn't been defined:
/opt/SUNWspro/bin/cc -m32 -xtarget=ultra -xarch=sparc -xO5 -xstrconst
-xdepend -Xa -I. -I.. -I. -I./.. -I/opt/openssl-1.0/include
-DHAVE_CONFIG_H -c arc4random.c
"../openbsd-compat/port-solaris.h", line 30: warning: old-style
declaration or incorrect type for: priv_set_t
"../openbsd-compat/port-solaris.h", line 30: syntax error before or
at: *
"../openbsd-compat/port-solaris.h", line 30: warning: old-style
declaration or incorrect type for: solaris_basic_privset
cc: acomp failed for arc4random.c
*** Error code 2
make: Fatal error: Command failed for target `arc4random.o'
Current working directory /opt/src/sys/openssh/openssh-7.2p2/openbsd-compat
*** Error code 1
make: Fatal error: Command failed for target
`openbsd-compat/libopenbsd-compat.a'
The fix appears to be simple -- add #include <priv.h> to
openbsd-compat/port-solaris.h.
I've also found that to build with Solaris sandbox support, you
need to turn on Solaris privileges support with --with-solaris-privs
as well.
In very brief testing, it does appear to work.
--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)496-1380 | West Lafayette, IN 47907
On 3/10/16 2:07 PM, Jeff Wieland wrote:> I was involved with the issues building OpenSSH 7.2p1 to use the > Solaris sandbox, but I ended up dropping out of the discussion > due to being on the road for most of the last couple of weeks. > > Anyway, the problems persist with OpenSSH 7.2p2 when building > with --with-sandbox=solaris. I found that there's an error in > openbsd-compat/port-solaris.h on line 30, because the type > priv_set_t hasn't been defined: > > <snip> > > The fix appears to be simple -- add #include <priv.h> to > openbsd-compat/port-solaris.h. >Yes, I've just finally caught up with starting to deploy 7.2 here (on Illumos) and noticed the same thing. Not sure how I missed it when building the proposed fix patch back when it was merged, though. I suspect that email thread had a few too many different patches floating around in it. This is the exact diff I used to fix up the build: diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h index 3a41ea8..a7cb5eb 100644 --- a/openbsd-compat/port-solaris.h +++ b/openbsd-compat/port-solaris.h @@ -27,6 +27,7 @@ void solaris_contract_post_fork_child(void); void solaris_contract_post_fork_parent(pid_t pid); void solaris_set_default_project(struct passwd *); # ifdef USE_SOLARIS_PRIVS +#include <priv.h> priv_set_t *solaris_basic_privset(void); void solaris_drop_privs_pinfo_net_fork_exec(void); void solaris_drop_privs_root_pinfo_net(void);
On Fri, Mar 11, 2016 at 10:23 AM, Alex Wilson <alex at cooperi.net> wrote:> This is the exact diff I used to fix up the build:[...]> +#include <priv.h>Applied, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.