Displaying 20 results from an estimated 400 matches similar to: "[PATCH] drop root privileges on solaris, request for testing"
2011 Jul 19
4
[PATCH v1 0/2] Support dropping of capabilities from early userspace.
This patchset applies to klibc mainline. As is it will probably collide
with Maximilian's recent patch to rename run-init to switch_root posted
last week.
To boot an untrusted environment with certain capabilities locked out,
we'd like to be able to drop the capabilities up front from early
userspace, before we actually transition onto the root volume.
This patchset implements this by
2015 Nov 29
22
[Bug 2511] New: Drop fine-grained privileges on Illumos/Solaris
https://bugzilla.mindrot.org/show_bug.cgi?id=2511
Bug ID: 2511
Summary: Drop fine-grained privileges on Illumos/Solaris
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Solaris
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs
2007 Feb 23
0
Simple patch
Inline below is a simple patch that drops the root capabilities that
aren't needed (inspired by a similar patch against the mpm_itk
project!). Possibly it is a little too restrictive, extras can be
added to suidcaps, but on platforms that support capabilities this
will prevent things such as kernel module loading.
Needed on linux is libcap, available in most distros. Note that this
2019 Mar 26
1
IMAP coredumps for one user
FreeBSD-12
Dovecot-2.3.5
I am having problems with one use
Mar 25 21:30:12 imap(gau.mon at crownkenya.com)<91364><U7qCZO+ECfCaRh6E>:
Fatal: master: service(imap): child 91364 killed with signal 6 (core dumped)
Mar 25 21:30:14 imap(gau.mon at crownkenya.com)<2381><moHYZO+EDvCaRh6E>:
Fatal: master: service(imap): child 2381 killed with signal 6 (core dumped)
Mar 26 06:29:26
2019 Mar 25
0
Panic
Dovecot-2.3.5, FreeBSD-12 (amd64),
I will wait to see coredumps after setting up things to allow it.
Mar 24 20:56:08 imap(john.doe at crownkenya.com)<82746><wg80zdqEy+eaTXHr>:
Panic: file mempool-system.c: line 137 (pool_system_realloc): assertion
failed: (old_size == (size_t)-1 || mem == NULL || old_size <=
malloc_usable_size(mem))
Mar 24 20:56:08 imap(john.doe at
2016 Feb 17
4
Call for testing: OpenSSH 7.2
On Wed, 17 Feb 2016, Alex Wilson wrote:
> On 2/17/16 2:04 PM, Alex Wilson wrote:
> > I've attached a patch...
> >
>
> Also at
>
> https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch
>
> If you are having trouble getting the patch out of the email.
>
> Also, as for Damien's patch, you will want to regenerate
2012 May 04
2
[PATCH] run-init: add drop_capabilities support
Building on the work in ff0a614bd724f6c4c6a5014a9955dc1bc028f336,
this moves the capability code down into the run-init library, so that
run-init can use it as well, via the new "-d" flag.
Signed-off-by: Kees Cook <kees at outflux.net>
---
usr/kinit/Kbuild | 3 +--
usr/kinit/capabilities.h | 10 ++++++++++
usr/kinit/kinit.c | 6 +++---
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
This patch adds the ability to kinit to allow the dropping of POSIX
capabilities.
kinit is modified by this change, such that it understands the new
kernel command line "drop_capabilities=" that specifies a comma
separated list of capability names that should be dropped before
switching over to the next init in the boot strap (typically on the root
disk).
When processing capabilities
2016 Jan 17
1
[PATCH klibc] run-init: Add dry-run mode
initramfs-tools wants to validate the real init program before running
it, as there is no way out once it has exec'd run-init. This is
complicated by the increasing use of symlinks for /sbin/init and for
/sbin itself. We can't simply resolve them with 'readlink -f' because
any absolute symlinks will be resolved using the wrong root. Add a
dry-run mode (-n option) to run-init
2016 Feb 17
5
Call for testing: OpenSSH 7.2
On Tue, 16 Feb 2016, Jeff Wieland wrote:
> The Solaris privilege code breaks building on Solaris 10. If
> you let configure just do its thing, you get the following error
> when compiling:
>
> "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with
> the Solaris sandbox"
>
> So, I did add "--with-solaris-privs" to the
2019 Jan 18
0
[klibc:master] run-init: Add dry-run mode
Commit-ID: 10059fddba9f8bec6aeb0d37d217df6d65e64c3b
Gitweb: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=10059fddba9f8bec6aeb0d37d217df6d65e64c3b
Author: Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Sun, 17 Jan 2016 19:50:28 +0000
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Wed, 2 Jan 2019 03:08:04 +0000
[klibc] run-init: Add dry-run mode
2006 Jun 01
1
ssl-proxy: client certificates and crl check
Skipped content of type multipart/alternative-------------- next part --------------
--- ssl-proxy-openssl.c.orig 2006-04-04 10:32:58.000000000 +0200
+++ ssl-proxy-openssl.c 2006-06-01 09:24:57.000000000 +0200
@@ -498,7 +498,7 @@
const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
{
X509 *x509;
- char buf[1024];
+ char buf[256];
const char *name;
if
2016 Feb 17
4
Call for testing: OpenSSH 7.2
On 2/17/16 9:50 AM, Carson Gaspar wrote:
> Solaris 10 has setppriv, but does not have priv_basicset. To work on
> Solaris 10, the call would need to be replaced with the equivalent set
> of explicitly listed privs:
The prior art in other apps on the system seems to suggest that
priv_str_to_set is a better fallback if priv_basicset is not available.
I've attached a patch that seems
2019 Apr 18
0
[PATCH] Allow the initramfs to be persisted across root changes
systemd supports switching back to the initramfs during shutdown in
order to make it easier to clean up the root file system. This is
desirable in order to allow us to remove keys from RAM before rebooting,
making it harder to obtain confidential information by rebooting into an
environment that scrapes RAM contents.
Signed-off-by: Matthew Garrett <mjg59 at google.com>
---
2016 Feb 16
2
Call for testing: OpenSSH 7.2
On Tue, Feb 16, 2016 at 01:28:42AM -0500, Jeff Wieland wrote:
> The Solaris privilege code breaks building on Solaris 10. If
> you let configure just do its thing, you get the following error
> when compiling:
>
> "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used
> with the Solaris sandbox"
Could you please try this patch? It adds
2019 Apr 28
0
[klibc:master] run-init: Allow the initramfs to be persisted across root changes
Commit-ID: 603f1bb024a03d9c50a89e7256ae7814292baf06
Gitweb: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=603f1bb024a03d9c50a89e7256ae7814292baf06
Author: Matthew Garrett <matthewgarrett at google.com>
AuthorDate: Thu, 18 Apr 2019 12:12:27 -0700
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Sat, 20 Apr 2019 17:11:34 +0100
[klibc] run-init: Allow
2003 Apr 16
1
PATCH Add support for kqueue in ioloop subsystem
Hey,
I noticed that there was an ioloop "module" (if we can call it that) for
select and poll and decided to add one for kqueue (aka kevent) BSDs high
performance descriptor multiplexing API. I haven't done any of the
configure glue stuff but the code is complete and works well. kqueue is
available on all recent versions of FreeBSD, NetBSD, OpenBSD and Darwin
(and therefore MacOS
2019 Apr 18
1
[PATCH] Allow the initramfs to be persisted across root changes
systemd supports switching back to the initramfs during shutdown in
order to make it easier to clean up the root file system. This is
desirable in order to allow us to remove keys from RAM before rebooting,
making it harder to obtain confidential information by rebooting into an
environment that scrapes RAM contents.
---
debian/changelog | 4 +
2009 Mar 24
1
Making changes to dovecot log levels
Hi Timo,
Awhile back I'd written about making changes to some of the log levels
that dovecot writes to to stop the process from writing these to monitor.
I wanted to run a few changes by you for this, just to make sure these
won't cause problems somewhere else. And to send this to the list, in
case anyone else wants to make similar changes in the future.
In the file
2009 Apr 09
2
Panic: file mempool-system.c: line 104
Hello!
I have used Dovecot for more than a year without problems, but today it
just crashed with this message:
dovecot: Apr 09 21:23:38 Panic: file mempool-system.c: line 104
(pool_system_realloc): assertion failed: (old_size == (size_t)-1 || mem
== NULL || old_size <= malloc_usable_size(mem))
dovecot: Apr 09 21:23:38 Error: Raw backtrace: /usr/local/sbin/dovecot
[0x805757c] ->