search for: use_solaris_priv

...otice (boy that openssl version error message is loooooong...) With Mr. Wilson's patch, I still get: "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with the Solaris sandbox" Because: $ fgrep SOLARIS config.h #define SANDBOX_SOLARIS 1 /* #undef USE_SOLARIS_PRIVS */ /* #undef USE_SOLARIS_PROCESS_CONTRACTS */ /* #undef USE_SOLARIS_PROJECTS */ If I "fix" it by passing "--with-solaris-privs" to configure, all tests pass without SUDO being set. If I set SUDO then agent.sh fails: trace: agent forwarding FAIL: agent fwd proto 2 failed (exi...

..., ssh-agent and sftp-server. Since the privilege dropping here is roughly equivalent to a more verbose, coarser version of a tame() call, I was wondering if there might be any interest in taking it into openssh-portable in future. Patch is attached. I've made sure all the code is behind #ifdef USE_SOLARIS_PRIVS and added some code in configure.ac to turn this macro on and off. It also has a related fix which turns off the UID restoration test when building --with-solaris-privs (since the fine-grained privs model lets you create an ordinary user who can setuid to root, and sshd should still let such a us...

On Wed, 17 Feb 2016, Alex Wilson wrote: > On 2/17/16 2:04 PM, Alex Wilson wrote: > > I've attached a patch... > > > > Also at > > https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch > > If you are having trouble getting the patch out of the email. > > Also, as for Damien's patch, you will want to regenerate

...e-auth > privsep sandbox... > Ok, please find attached a revised version. I've moved all of the pre-auth privsep bit into a new sandbox-solaris.c, and for the ssh-agent and sftp-server I've created the platform_drop_agent_privs() and platform_drop_sftp_server_privs() hooks which, if USE_SOLARIS_PRIVS is enabled then call out to the code that's now in openbsd-compat/port-solaris.c Does this look a bit better? The biggest annoyance I had is that now ssh-agent and sftp-server have to link against platform.o, and the easiest way to organise that seemed to be to add it to libssh.a. So now all...

I was involved with the issues building OpenSSH 7.2p1 to use the Solaris sandbox, but I ended up dropping out of the discussion due to being on the road for most of the last couple of weeks. Anyway, the problems persist with OpenSSH 7.2p2 when building with --with-sandbox=solaris. I found that there's an error in openbsd-compat/port-solaris.h on line 30, because the type priv_set_t

On 2/17/16 9:50 AM, Carson Gaspar wrote: > Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs: The prior art in other apps on the system seems to suggest that priv_str_to_set is a better fallback if priv_basicset is not available. I've attached a patch that seems

https://bugzilla.mindrot.org/show_bug.cgi?id=2511 Bug ID: 2511 Summary: Drop fine-grained privileges on Illumos/Solaris Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs