On Tue, 16 Feb 2016, Jeff Wieland wrote:> The Solaris privilege code breaks building on Solaris 10. If > you let configure just do its thing, you get the following error > when compiling: > > "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with > the Solaris sandbox" > > So, I did add "--with-solaris-privs" to the command line for > configure, but then I got the following error messages:I think this should fix it. It would be good if someone with recent Solaris/ Illumos that does have the fine-grained privilege support could test it too. diff --git a/configure.ac b/configure.ac index b4c0aaa..f614edf 100644 --- a/configure.ac +++ b/configure.ac @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) else AC_MSG_RESULT([no]) fi - AC_CHECK_FUNC([setppriv], - [ AC_CHECK_HEADERS([priv.h], [ - SOLARIS_PRIVS="yes" - ]) - ]) + AC_CHECK_FUNC([setppriv]) + AC_CHECK_HEADERS([priv.h]) AC_ARG_WITH([solaris-contracts], [ --with-solaris-contracts Enable Solaris process contracts (experimental)], [ @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], [ AC_MSG_CHECKING([for Solaris/Illumos privilege support]) - if test "x$SOLARIS_PRIVS" = "xyes" ; then + if test "x$ac_cv_func_setppriv" = "xyes" -a \ + "x$ac_cv_header_priv_h" = "xyes" ; then + SOLARIS_PRIVS=yes AC_MSG_RESULT([found]) AC_DEFINE([NO_UID_RESTORATION_TEST], [1], [Define to disable UID restoration test])
Damien Miller wrote:> On Tue, 16 Feb 2016, Jeff Wieland wrote: > >> The Solaris privilege code breaks building on Solaris 10. If >> you let configure just do its thing, you get the following error >> when compiling: >> >> "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with >> the Solaris sandbox" >> >> So, I did add "--with-solaris-privs" to the command line for >> configure, but then I got the following error messages: > I think this should fix it. It would be good if someone with recent Solaris/ > Illumos that does have the fine-grained privilege support could test it too. > > diff --git a/configure.ac b/configure.ac > index b4c0aaa..f614edf 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) > else > AC_MSG_RESULT([no]) > fi > - AC_CHECK_FUNC([setppriv], > - [ AC_CHECK_HEADERS([priv.h], [ > - SOLARIS_PRIVS="yes" > - ]) > - ]) > + AC_CHECK_FUNC([setppriv]) > + AC_CHECK_HEADERS([priv.h]) > AC_ARG_WITH([solaris-contracts], > [ --with-solaris-contracts Enable Solaris process contracts (experimental)], > [ > @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) > [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], > [ > AC_MSG_CHECKING([for Solaris/Illumos privilege support]) > - if test "x$SOLARIS_PRIVS" = "xyes" ; then > + if test "x$ac_cv_func_setppriv" = "xyes" -a \ > + "x$ac_cv_header_priv_h" = "xyes" ; then > + SOLARIS_PRIVS=yes > AC_MSG_RESULT([found]) > AC_DEFINE([NO_UID_RESTORATION_TEST], [1], > [Define to disable UID restoration test]) >This patch still causes privilege separation sandbox style to be set to solaris on Solaris 10. -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907
Jeff Wieland wrote:> Damien Miller wrote: >> On Tue, 16 Feb 2016, Jeff Wieland wrote: >> >>> The Solaris privilege code breaks building on Solaris 10. If >>> you let configure just do its thing, you get the following error >>> when compiling: >>> >>> "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be >>> used with >>> the Solaris sandbox" >>> >>> So, I did add "--with-solaris-privs" to the command line for >>> configure, but then I got the following error messages: >> I think this should fix it. It would be good if someone with recent >> Solaris/ >> Illumos that does have the fine-grained privilege support could test >> it too. >> >> diff --git a/configure.ac b/configure.ac >> index b4c0aaa..f614edf 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) >> else >> AC_MSG_RESULT([no]) >> fi >> - AC_CHECK_FUNC([setppriv], >> - [ AC_CHECK_HEADERS([priv.h], [ >> - SOLARIS_PRIVS="yes" >> - ]) >> - ]) >> + AC_CHECK_FUNC([setppriv]) >> + AC_CHECK_HEADERS([priv.h]) >> AC_ARG_WITH([solaris-contracts], >> [ --with-solaris-contracts Enable Solaris process >> contracts (experimental)], >> [ >> @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) >> [ --with-solaris-privs Enable Solaris/Illumos >> privileges (experimental)], >> [ >> AC_MSG_CHECKING([for Solaris/Illumos privilege support]) >> - if test "x$SOLARIS_PRIVS" = "xyes" ; then >> + if test "x$ac_cv_func_setppriv" = "xyes" -a \ >> + "x$ac_cv_header_priv_h" = "xyes" ; then >> + SOLARIS_PRIVS=yes >> AC_MSG_RESULT([found]) >> AC_DEFINE([NO_UID_RESTORATION_TEST], [1], >> [Define to disable UID restoration test]) >> > This patch still causes privilege separation sandbox style to be > set to solaris on Solaris 10. >Never mind -- I forgot to run autoreconf. It does indeed work correctly on Solaris 8. -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907
On 2/16/16 8:21 PM, Damien Miller wrote:> I think this should fix it. It would be good if someone with recent Solaris/ > Illumos that does have the fine-grained privilege support could test it too.Solaris 10 has setppriv, but does not have priv_basicset. To work on Solaris 10, the call would need to be replaced with the equivalent set of explicitly listed privs: "Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered "basic" privileges. These are privileges that used to be always avail- able to unprivileged processes. By default, processes still have the basic privileges."> diff --git a/configure.ac b/configure.ac > index b4c0aaa..f614edf 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) > else > AC_MSG_RESULT([no]) > fi > - AC_CHECK_FUNC([setppriv], > - [ AC_CHECK_HEADERS([priv.h], [ > - SOLARIS_PRIVS="yes" > - ]) > - ]) > + AC_CHECK_FUNC([setppriv]) > + AC_CHECK_HEADERS([priv.h]) > AC_ARG_WITH([solaris-contracts], > [ --with-solaris-contracts Enable Solaris process contracts (experimental)], > [ > @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) > [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], > [ > AC_MSG_CHECKING([for Solaris/Illumos privilege support]) > - if test "x$SOLARIS_PRIVS" = "xyes" ; then > + if test "x$ac_cv_func_setppriv" = "xyes" -a \ > + "x$ac_cv_header_priv_h" = "xyes" ; then > + SOLARIS_PRIVS=yes > AC_MSG_RESULT([found]) > AC_DEFINE([NO_UID_RESTORATION_TEST], [1], > [Define to disable UID restoration test]) > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On 2/17/16 9:50 AM, Carson Gaspar wrote:> On 2/16/16 8:21 PM, Damien Miller wrote: > >> I think this should fix it. It would be good if someone with recent >> Solaris/ >> Illumos that does have the fine-grained privilege support could test >> it too. > > Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs: > > "Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, > PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION, > PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered > "basic" privileges. These are privileges that used to be always avail- > able to unprivileged processes. By default, processes still have the > basic privileges."Of course that's the Sol 11 man page excerpt. Sol 10 doesn't have PRIV_FILE_{READ,WRITE}, but otherwise the basic privs are the same. -- Carson
On 2/17/16 9:50 AM, Carson Gaspar wrote:> Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs:The prior art in other apps on the system seems to suggest that priv_str_to_set is a better fallback if priv_basicset is not available. I've attached a patch that seems to build and work on Illumos in both modes (using priv_basicset and using priv_str_to_set). Would you mind trying it on Solaris 10 for me? I did write this keeping Solaris 10 in mind originally, but apparently I missed the lack of priv_basicset. Sorry. -------------- next part -------------->From 6cc3cf443748a3047ca642fd70438baffd2860fd Mon Sep 17 00:00:00 2001From: Alex Wilson <alex.wilson at joyent.com> Date: Wed, 17 Feb 2016 13:56:01 -0800 Subject: [PATCH] wip: fix for sol10 privs --- configure.ac | 1 + openbsd-compat/port-solaris.c | 26 ++++++++++++++++++++------ sandbox-solaris.c | 11 ++++++++--- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index b4c0aaa..d910f53 100644 --- a/configure.ac +++ b/configure.ac @@ -898,6 +898,7 @@ mips-sony-bsd|mips-sony-newsos4) fi AC_CHECK_FUNC([setppriv], [ AC_CHECK_HEADERS([priv.h], [ + AC_CHECK_FUNCS([priv_basicset]) SOLARIS_PRIVS="yes" ]) ]) diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c index 962cd16..0ba80c6 100644 --- a/openbsd-compat/port-solaris.c +++ b/openbsd-compat/port-solaris.c @@ -254,11 +254,17 @@ solaris_drop_privs_pinfo_net_fork_exec(void) * etc etc). */ - if ((pset = priv_allocset()) == NULL || - (npset = priv_allocset()) == NULL) + if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); +#if defined(HAVE_PRIV_BASICSET) + if ((npset = priv_allocset()) == NULL) + fatal("priv_allocset: %s", strerror(errno)); priv_basicset(npset); +#else + if ((npset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 || priv_addset(npset, PRIV_FILE_DAC_READ) != 0 || @@ -294,11 +300,15 @@ solaris_drop_privs_root_pinfo_net(void) { priv_set_t *pset = NULL; + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); - - /* Start with "basic" and drop everything we don't need. */ priv_basicset(pset); +#else + if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || priv_delset(pset, PRIV_NET_ACCESS) != 0 || @@ -319,11 +329,15 @@ solaris_drop_privs_root_pinfo_net_exec(void) { priv_set_t *pset = NULL; + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); - - /* Start with "basic" and drop everything we don't need. */ priv_basicset(pset); +#else + if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || priv_delset(pset, PRIV_NET_ACCESS) != 0 || diff --git a/sandbox-solaris.c b/sandbox-solaris.c index 98714e1..a1828ed 100644 --- a/sandbox-solaris.c +++ b/sandbox-solaris.c @@ -48,15 +48,20 @@ ssh_sandbox_init(struct monitor *monitor) struct ssh_sandbox *box = NULL; box = xcalloc(1, sizeof(*box)); - box->pset = priv_allocset(); + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) + box->pset = priv_allocset(); +#else + box->pset = priv_str_to_set("basic", ",", NULL); +#endif if (box->pset == NULL) { free(box); return NULL; } - - /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) priv_basicset(box->pset); +#endif /* Drop everything except the ability to use already-opened files */ if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 || -- 2.5.4 (Apple Git-61)