18898794 ssh connections fail with openssh, same config works with sunssh
authorTomas Kuthan <tomas.kuthan@oracle.com>
Wed, 29 Oct 2014 08:04:59 -0700
changeset 2181 e4bedf346edf
parent 2180 bc1340c26305
child 2182 9f1202f3ddbd
18898794 ssh connections fail with openssh, same config works with sunssh
components/openssh/Makefile
components/openssh/patches/019-no_uid_restoration_test.patch
--- a/components/openssh/Makefile	Sat Oct 25 10:54:16 2014 -0700
+++ b/components/openssh/Makefile	Wed Oct 29 08:04:59 2014 -0700
@@ -56,6 +56,7 @@
 CFLAGS += -DPAM_ENHANCEMENT
 CFLAGS += -DPAM_BUGFIX
 CFLAGS += -DOPTION_DEFAULT_VALUE
+CFLAGS += -DNO_UID_RESTORATION_TEST
 
 CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" 
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/019-no_uid_restoration_test.patch	Wed Oct 29 08:04:59 2014 -0700
@@ -0,0 +1,70 @@
+#
+# OpenSSH verifies, that changing [ug]id back to 0 fails, after it
+# was set to the values of the user logging in.
+# On Solaris, if that user was given PRIV_PROC_SETUID privilege,
+# set[gu]id(0) succeeds. But in this case this is not an error in
+# dropping privilege, such user is supposed to be able to do that.
+#
+# This fix removes this check entirely. Skipping the check only in
+# case PRIV_PROC_SETUID is asserted in the effective set was considered
+# but decided against. The check is redundant, because inability to
+# restore uid=0 can be inferred from successful run of setreuid(uid, uid).
+#
+# The fix is implemented by replacing an OS-related HAVE_CYGWIN guard
+# with a functional NO_UID_RESTORATION_TEST and by defining the new
+# symbol in the component Makefile.
+#
+# This patch was submitted upstream:
+#
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2299
+#
+# See the above URL for details on if/when it might be accepted.
+#
+diff -ur old/uidswap.c new/uidswap.c
+--- old/uidswap.c	2014-01-18 01:43:50.000000000 -0800
++++ new/uidswap.c	2014-09-04 06:26:32.965065384 -0700
[email protected]@ -134,7 +134,7 @@
+ void
+ permanently_drop_suid(uid_t uid)
+ {
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ 	uid_t old_uid = getuid();
+ #endif
+ 
[email protected]@ -142,7 +142,7 @@
+ 	if (setresuid(uid, uid, uid) < 0)
+ 		fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
+ 
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ 	/* Try restoration of UID if changed (test clearing of saved uid) */
+ 	if (old_uid != uid &&
+ 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
[email protected]@ -199,7 +199,7 @@
+ void
+ permanently_set_uid(struct passwd *pw)
+ {
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ 	uid_t old_uid = getuid();
+ 	gid_t old_gid = getgid();
+ #endif
[email protected]@ -227,7 +227,7 @@
+ 	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
+ 		fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+ 
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ 	/* Try restoration of GID if changed (test clearing of saved gid) */
+ 	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
+ 	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))
[email protected]@ -241,7 +241,7 @@
+ 		    (u_int)pw->pw_gid);
+ 	}
+ 
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ 	/* Try restoration of UID if changed (test clearing of saved uid) */
+ 	if (old_uid != pw->pw_uid &&
+ 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))