On 2015-06-07 1:45 PM, aixtools wrote:> On 2015-06-03 2:43 AM, Ron Frederick wrote:
>> On Jun 2, 2015, at 4:46 PM, Damien Miller<djm at mindrot.org>
wrote:
>>> On Tue, 2 Jun 2015, Ron Frederick wrote:
>>>
>>>>> The privsep chroot path is specified at build time
(./configure
>>>>> --with-privsep-path if you want to change it).
>>>> Ok, thanks. I?ve re-run the tests on Linux with
--sysconfdir=/etc/ssh
>>>> --with-privsep-path=/var/run, and I no longer see either of the
issues
>>>> mentioned above. With the above config option, all tests passed
for me
>>>> on Ubuntu 14.04.2 LTS.
>>> You should use /var/run/sshd on Ubuntu. Don't use a directory
with
>>> other
>>> stuff in it.
> I added --with-privsep-path=/var/run/sshd (as non-root) and when I ran
> "make tests" it aborted when /var/run did not exist - but ran
normally
> when /var/run (only exists). but is not writeable by the non-root user
> (i.e., cannot mkdir /var/run/sshd either - so why die when /var/run is
> not there?)
>
> root at x064:[/]ls -ld /var/run
> drwxr-xr-x 2 root system 256 Jun 7 11:31 /var/run
> root at x064:[/]ls -l /var/run
> total 0
>
Shall I add a feature request - to have these tests ALSO run as root,
and privsep is tested as downgrading from root, rather than SUDO up to root.
And, if someone will be willing to assist me with how to integrate some
tests I would work on some tests for AIX using AIX's version of RBAC for
privelidge control. (FYI, I will be researching what sshd actually needs
to be run without 'root' as a kickstart - and, in all honesty, am hoping
there is some interest to see configuration example and tests in
openssh-portable)
And the message above (about make tests stopping when /var/run does not
exist) - looks like I forgot reply to all the first time,
sigh.>> Ok, thanks. I didn?t actually do an install with those parameters. I
>> was just using them to get around the ?/var/empty? error that I got
>> in my previous run, but I?ll keep this in mind if I upgrade OpenSSH
>> myself on that system.
>>
>>
>>>> Done. This is now filed as bz#2407. No hurry on this one, as
the code
>>>> still runs fine at the moment and passes all the tests. I just
thought
>>>> I?d report it to avoid future problems if those APIs are ever
removed.
>>> Most of those are due to Apple soft-deprecating the OpenSSL
libcrypto
>>> API as a supported interface. If they ever fully deprecate it,
we'll
>>> ask users to build OpenSSH against an independent installation of
>>> libcrypto.
>> I see. Do you know if there is any way to add something to the
>> Makefile to suppress the warnings in the meantime?
>>
>> One of the other items I called out in the bug that wasn?t a
>> deprecation was around the assignment of ssh1_3des_cdc to a
>> ?do_cipher? function pointer. It looks like the issue there is that
>> ssh1_3des_cbc is declared to take a ?size_t? as its last argument,
>> where the do_cipher function pointer is expecting an ?unsigned int?.
>> It looks like other instances of functions assigned to do_cipher use
>> the type LIBCRYPTO_EVP_INL_TYPE as the type of this argument, but for
>> some reason this wasn?t done in the ssh1 3des case. This looks like
>> it would be an easy fix, though.
>>
>> The last issue was clang not liking the ?-pie? switch on compilations.
>