Bug 1423

Summary:

Service ACL support for ssh on Mac OS X.

Product:

Portable OpenSSH

Reporter:

Disco Vince Giffin <vgiffin>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WONTFIX

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

4.7p1

Hardware:

Other

OS:

Mac OS X

Bug Depends on:

Bug Blocks:

1481

Attachments:

Description	Flags
SACL support for sshd on Mac OS X.	none
Updated patch to check for mbr_check_service_membership() for SACL support.	none

Description Disco Vince Giffin 2007-12-21 15:54:01 AEDT

Created attachment 1420 [details]
SACL support for sshd on Mac OS X.

Attached is a patch for building OpenSSH 4.7p1 on Mac OS X.

This patch adds SACL support to ssh for Mac OS X.

Comment 1 Darren Tucker 2007-12-22 00:49:54 AEDT

I have no objection to adding support for this, but I think we would prefer not to add any (more) platform specific config options.  Could it be enabled unconditionally?

Regarding the patch, adding the code into the mainline means it will be an ongoing maintenance hassle.  A preferable way to do it would be to use the existing sys_auth_allowed_user() hook (see openbsd-compat/port-aix.c for an example).

Comment 2 Disco Vince Giffin 2007-12-22 09:08:01 AEDT

(In reply to comment #1)
> I have no objection to adding support for this…

Thank you

> …I think we would
> prefer not to add any (more) platform specific config options.  Could
> it be enabled unconditionally?

Yes.  This would not work for Panther (Mac OS X 10.3), but that's fine by me.
 
> Regarding the patch, adding the code into the mainline means it will be
> an ongoing maintenance hassle.  A preferable way to do it would be to
> use the existing sys_auth_allowed_user() hook (see
> openbsd-compat/port-aix.c for an example).

I will look into this.  Thanks.

Comment 3 Darren Tucker 2007-12-23 00:30:41 AEDT

(In reply to comment #2)
> (In reply to comment #1)
> > …I think we would
> > prefer not to add any (more) platform specific config options.  Could
> > it be enabled unconditionally?
> 
> Yes.  This would not work for Panther (Mac OS X 10.3), but that's fine
> by me.

Can the code be enabled based on the presence or not of  mbr_check_service_membership() or similar?  Or do those exist in the older versions too?

Comment 4 Disco Vince Giffin 2007-12-29 11:03:21 AEDT

(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > …I think we would
> > > prefer not to add any (more) platform specific config options.  Could
> > > it be enabled unconditionally?
> > 
> > Yes.  This would not work for Panther (Mac OS X 10.3), but that's fine
> > by me.
> 
> Can the code be enabled based on the presence or not of 
> mbr_check_service_membership() or similar?  Or do those exist in the
> older versions too?

Yes, checking for mbr_check_service_membership() should work just fine.  No, mbr_check_service_membership() was introduced in Tiger (Mac OS X 10.4).

Comment 5 Damien Miller 2009-01-21 16:43:12 AEDT

If you can get us a revised diff based on Darren's comments then we should be able to include this in openssh-5.2.

Comment 6 Disco Vince Giffin 2009-01-23 12:43:36 AEDT

Created attachment 1598 [details]
Updated patch to check for mbr_check_service_membership() for SACL support.

Comment 7 Damien Miller 2009-02-02 09:34:44 AEDT

I think what Darren meant was to remove the SACLSupport option and always enable SACL support if the OS supports it. Would this work?

Comment 8 Disco Vince Giffin 2009-02-03 04:51:57 AEDT

(In reply to comment #7)
> I think what Darren meant was to remove the SACLSupport option and
> always enable SACL support if the OS supports it. Would this work?

No.  It's likely that we'll be switching to enforcing SACLs via a PAM module.  So, we'd probably prefer this patch not being taken at all over being on-by-default.  Sorry for the trouble.

Comment 9 Damien Miller 2009-02-03 10:48:24 AEDT

Thanks, closing this bug then.

Comment 10 Damien Miller 2009-02-23 13:35:45 AEDT

Close bugs fixed/reviewed for openssh-5.2 release