openssh unix dev - Jul 2000 - WITH_IRIX_AUDIT causes error (fwd)

-- 
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)



---------- Forwarded message ----------
Date: Thu, 20 Jul 2000 15:46:23 -0500
From: Brian Hanna <bdhanna at cmrr.umn.edu>
To: openssh at openssh.com
Subject: WITH_IRIX_AUDIT causes error


Hi,

I compiled and was able to run sshd. I started ssh as root and was able
to get to my local host. I dropped down to a regular user and tried
ssh again. I got the error

error setting satid

and no connection.

I read a bit in the archives and found the patch that Mark Stone posted
regarding WITH_IRIX_*. The patch referred to uidswap.c and
permanently_set_uid().
I found his patch was already in the version I compiled. 

I could see that if WITH_IRIX_AUDIT was not defined, the satsetid() call would
not
be made, and the error could be avoided. I looked for satsetid on my system
and didn't find it. I am on Irix 6.4.

I commented out the #define in config.h and was able to compile and run
ssh as a normal user.

/* Define if you want IRIX audit trails */
/* problems for us */
/* #define WITH_IRIX_AUDIT 1 */                                                 

Questions: 
1) Is it still secure? (I'm guessing yes.)
2) What should I install so that setsatid() is on my system?
3) Is there a better way for the configure to work, so as not to force this on?

Hope this is helpful.

Brian

Brian Hanna
Unix System Admin
bdhanna at cmrr.umn.edu

On Fri, Jul 21, 2000 at 09:55:27AM +1000, Damien Miller
wrote:
> I compiled and was able to run sshd. I started ssh as root and was able
> to get to my local host. I dropped down to a regular user and tried
> ssh again. I got the error
> 
> error setting satid
Hmm. There should be more. (The relevant code in the patch was "error
setting satid: %.100s", strerror(errno). There should be a colon and
hopefully some more info.)
> I could see that if WITH_IRIX_AUDIT was not defined, the satsetid() call
would not
> be made, and the error could be avoided. I looked for satsetid on my system
> and didn't find it. I am on Irix 6.4.
What is the output of the following (from the command line):
chkconfig | grep audit
sysconf | egrep AUDIT\|SAT
> 1) Is it still secure? (I'm guessing yes.)
Yes. The satid is only used for audit trails. (If you're using them, you
would know. They're really big :)
> 2) What should I install so that setsatid() is on my system?
For IRIX 6.4 it may be part of trusted IRIX. In IRIX 6.5 it's
eoe.sw.audit
> 3) Is there a better way for the configure to work, so as not to force this
on?
Well, I've got a theory. The line that says 
	if (sysconf(_SC_AUDIT)) {
was based on the "here's how to make sure it works on all systems"
instructions. Serves me right to trust a manual. IRIX 6.4 probably
doesn't define _SC_AUDIT, and sysconf is returning -1 on error. Change
the above line to
	if (sysconf(_SC_AUDIT) == 1) {
I'm interested in the sysconf output above because the flag we're
looking for might have had a different name in IRIX 6.4, which would
make the check something like
	if (sysconf(_SC_AUDIT) == 1 || sysconf(_SC_SAT) == 1) {

-- 
Mike Stone