openssh bugs - Dec 2007 - [Bug 1420] New: BSM support on Mac OS X

https://bugzilla.mindrot.org/show_bug.cgi?id=1420

           Summary: BSM support on Mac OS X
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: Other
        OS/Version: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: vgiffin at apple.com


Created an attachment (id=1417)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1417)
Adds BSM support.

Attached is a patch for building OpenSSH 4.7p1 on Mac OS X.

This patch adds part of the BSM support for Mac OS X.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-12-22
01:23:43 ---
(From update of attachment 1417)
>+#if defined(__APPLE__)
>+	/* don't have a aug_get_machine */
>+	tid->at_addr[0] = inet_addr(host);
>+	tid->at_type = 0;
>+	snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]);
>+	debug3("BSM audit: machine ID %s", buf);
A cleaner way to do this is implement aug_get_machine as a static
function in this file, and activate it based on the presence (or not)
of aug_get_machine.  I believe FreeBSD would also benefit from this.

I will post an alternative patch.
>-		AC_CHECK_FUNCS(getaudit_addr)
>+		AC_CHECK_FUNCS(getaudit_addr,
>+				[
>+				case "$host" in
>+				*-*-darwin7* | *-*-darwin8*)
>+					AC_MSG_CHECKING(for getaudit_addr usability)
>+					AC_MSG_RESULT(no)
>+					;;
>+					*) AC_DEFINE(HAVE_GETAUDIT_ADDR,
Could you please explain why this is needed?  darwin7 and darwin8 have
a getaudit_addr but it doesn't work?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  2007-12-22
02:59:58 ---
(From update of attachment 1417)
>+#if defined(__APPLE__)
>+	/* don't have a aug_get_machine */
>+	tid->at_addr[0] = inet_addr(host);
>+	tid->at_type = 0;
>+	snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]);
>+	debug3("BSM audit: machine ID %s", buf);
>+#else
How does this cope with connections from IPv6 addresses?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #1417 is|0                           |1
           obsolete|                            |




--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  2007-12-24
06:40:29 ---
Created an attachment (id=1422)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1422)
Implement aug_get_machine for BSM audit support

This should work on OS X (modulo the query I have about handling IPv6
connections) and FreeBSD/OpenBSM (untested).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement
                 CC|                            |dtucker at zip.com.au




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #4 from Disco Vince Giffin <vgiffin at apple.com>  2008-01-03
08:28:22 ---
(In reply to comment #2)
> (From update of attachment 1417 [details])
> >+#if defined(__APPLE__)
> >+	/* don't have a aug_get_machine */
> >+	tid->at_addr[0] = inet_addr(host);
> >+	tid->at_type = 0;
> >+	snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]);
> >+	debug3("BSM audit: machine ID %s", buf);
> >+#else
> 
> How does this cope with connections from IPv6 addresses?
This, unfortunately, does not cope with IPv6 addresses.  I have filed a
bug in our system to have this addressed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  2008-01-03
08:40:55 ---
(In reply to comment #4)
> This, unfortunately, does not cope with IPv6 addresses.  I have filed a
> bug in our system to have this addressed.
The code I posted (attachment #1422) does cope with IPv6 addresses, but
since the original patch doesn't I'm not sure that it will write a
record of the correct format.

On Solaris, AU_IPv6 = 16 and AU_IPv4 = 4.  (There's also  comment in
the header about them being the sizes of the addresses which might
cause trouble down the track if code assumes that's always the case and
another address types happen to be 16 bytes...)
>From patch 1417, it appears that Apple have made record type 0 to be
IPv4, the question is what's IPv6?  My patch assumes 1.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #6 from Disco Vince Giffin <vgiffin at apple.com>  2008-01-03
11:32:43 ---
(In reply to comment #5)
> (In reply to comment #4)
> > This, unfortunately, does not cope with IPv6 addresses.  I have filed
a
> > bug in our system to have this addressed.
> 
> The code I posted (attachment #1422 [details]) does cope with IPv6
addresses, but
> since the original patch doesn't I'm not sure that it will write a
> record of the correct format.
> 
> On Solaris, AU_IPv6 = 16 and AU_IPv4 = 4.  (There's also  comment in
> the header about them being the sizes of the addresses which might
> cause trouble down the track if code assumes that's always the case and
> another address types happen to be 16 bytes...)
> 
> From patch 1417, it appears that Apple have made record type 0 to be
> IPv4, the question is what's IPv6?  My patch assumes 1.
When this patch was created, we only supported IPv4 so the type was
just set to 0 (and not used).  I expect that we will adopt the types
that are used in OpenBSM (AU_IPv6 = 16 and AU_IPv4 = 4) when IPv6
support is added.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #1422 is|0                           |1
           obsolete|                            |




--- Comment #7 from Darren Tucker <dtucker at zip.com.au>  2008-01-03
21:47:51 ---
Created an attachment (id=1433)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1433)
Add aug_get_machine, make AU_IPv6 optional

In that case I think this is the way to do it.  The patch should have
equivalent behaviour to your original patch on current platforms, and
should also work when AU_IPv6 is added.  Could you please confirm?

Also: if there are any users of OpenBSM and/or FreeBSD out there that
could also test that would be appreciated.

Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #8 from Disco Vince Giffin <vgiffin at apple.com>  2008-01-04
06:41:47 ---
(In reply to comment #7)
> In that case I think this is the way to do it.  The patch should have
> equivalent behaviour to your original patch on current platforms, and
> should also work when AU_IPv6 is added.  Could you please confirm?
This looks good.

Thank you, sir.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1353




--- Comment #9 from Darren Tucker <dtucker at zip.com.au>  2008-01-08
15:21:27 ---
(In reply to comment #8)
> This looks good.
By "looks good" do you mean that it behaves correctly when tested?  If
it has been tested then I'm ok with putting it in 4.8.
> Thank you, sir.
You're welcome.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1433|                            |ok?
               Flag|                            |




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1433|ok?                         |ok+
               Flag|                            |




--- Comment #10 from Damien Miller <djm at mindrot.org>  2008-01-20
06:58:51 ---
(From update of attachment 1433)
ok

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420





--- Comment #11 from Disco Vince Giffin <vgiffin at apple.com>  2008-01-22
08:13:10 ---
(In reply to comment #9)
> (In reply to comment #8)
> > This looks good.
> 
> By "looks good" do you mean that it behaves correctly when
tested?  If
> it has been tested then I'm ok with putting it in 4.8.
Yes.  Our normal build process doesn't run autoconf, so I did have to
run that manually and augment the patch (with hunks for configure and
config.h.in).  After that it worked as expected.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED                    
         Resolution|                            |FIXED                       




--- Comment #12 from Darren Tucker <dtucker at zip.com.au>  2008-02-25
21:06:33 ---
patch #1433 has been applied (with a couple of extra headers spotted by
csjp at FreeBSD org) and will be in 4.8.  Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1420


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED                      




--- Comment #13 from Damien Miller <djm at mindrot.org>  2008-03-31
15:23:22 ---
Fix shipped in 4.9/4.9p1 release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.