Bugzilla – Attachment 2273 Details for
Bug 2107
seccomp sandbox breaks GSSAPI
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Handle ssh_gssapi_supported_oids in monitor for seccomp sandbox compatibility
gssapi-seccomp.patch (text/plain), 5.67 KB, created by
Colin Watson
on 2013-05-18 07:34:54 AEST
(
hide
)
Description:
Handle ssh_gssapi_supported_oids in monitor for seccomp sandbox compatibility
Filename:
MIME Type:
Creator:
Colin Watson
Created:
2013-05-18 07:34:54 AEST
Size:
5.67 KB
patch
obsolete
>=== modified file 'auth2-gss.c' >--- auth2-gss.c 2013-04-23 05:18:51 +0000 >+++ auth2-gss.c 2013-05-17 21:32:25 +0000 >@@ -77,7 +77,7 @@ userauth_gssapi(Authctxt *authctxt) > return (0); > } > >- ssh_gssapi_supported_oids(&supported); >+ PRIVSEP(ssh_gssapi_supported_oids(&supported)); > do { > mechs--; > > >=== modified file 'monitor.c' >--- monitor.c 2013-05-16 10:29:28 +0000 >+++ monitor.c 2013-05-17 21:32:25 +0000 >@@ -176,6 +176,7 @@ int mm_answer_pam_free_ctx(int, Buffer * > #endif > > #ifdef GSSAPI >+int mm_answer_gss_supported_oids(int, Buffer *); > int mm_answer_gss_setup_ctx(int, Buffer *); > int mm_answer_gss_accept_ctx(int, Buffer *); > int mm_answer_gss_userok(int, Buffer *); >@@ -248,6 +249,7 @@ struct mon_table mon_dispatch_proto20[] > {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, > {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, > #ifdef GSSAPI >+ {MONITOR_REQ_GSSSUPPORTEDOIDS, MON_ISAUTH, mm_answer_gss_supported_oids}, > {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, > {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, > {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, >@@ -2051,6 +2053,28 @@ monitor_reinit(struct monitor *mon) > > #ifdef GSSAPI > int >+mm_answer_gss_supported_oids(int sock, Buffer *m) >+{ >+ gss_OID_set oidset; >+ size_t i; >+ OM_uint32 min_status; >+ >+ ssh_gssapi_supported_oids(&oidset); >+ >+ buffer_clear(m); >+ buffer_put_int(m, (u_int)oidset->count); >+ for (i = 0; i < oidset->count; i++) >+ buffer_put_string(m, oidset->elements[i].elements, >+ oidset->elements[i].length); >+ >+ gss_release_oid_set(&min_status, &oidset); >+ >+ mm_request_send(sock, MONITOR_ANS_GSSSUPPORTEDOIDS, m); >+ >+ return (0); >+} >+ >+int > mm_answer_gss_setup_ctx(int sock, Buffer *m) > { > gss_OID_desc goid; > >=== modified file 'monitor.h' >--- monitor.h 2012-12-02 22:53:20 +0000 >+++ monitor.h 2013-05-17 21:32:25 +0000 >@@ -51,16 +51,17 @@ enum monitor_reqtype { > MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37, > MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39, > MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41, >- MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43, >- MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45, >- MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, >- MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, >- MONITOR_REQ_TERM = 50, >- MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53, >- MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55, >- MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, >- MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, >- MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, >+ MONITOR_REQ_GSSSUPPORTEDOIDS = 42, MONITOR_ANS_GSSSUPPORTEDOIDS = 43, >+ MONITOR_REQ_GSSSETUP = 44, MONITOR_ANS_GSSSETUP = 45, >+ MONITOR_REQ_GSSSTEP = 46, MONITOR_ANS_GSSSTEP = 47, >+ MONITOR_REQ_GSSUSEROK = 48, MONITOR_ANS_GSSUSEROK = 49, >+ MONITOR_REQ_GSSCHECKMIC = 50, MONITOR_ANS_GSSCHECKMIC = 51, >+ MONITOR_REQ_TERM = 52, >+ MONITOR_REQ_JPAKE_STEP1 = 54, MONITOR_ANS_JPAKE_STEP1 = 55, >+ MONITOR_REQ_JPAKE_GET_PWDATA = 56, MONITOR_ANS_JPAKE_GET_PWDATA = 57, >+ MONITOR_REQ_JPAKE_STEP2 = 58, MONITOR_ANS_JPAKE_STEP2 = 59, >+ MONITOR_REQ_JPAKE_KEY_CONFIRM = 60, MONITOR_ANS_JPAKE_KEY_CONFIRM = 61, >+ MONITOR_REQ_JPAKE_CHECK_CONFIRM = 62, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 63, > > MONITOR_REQ_PAM_START = 100, > MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, > >=== modified file 'monitor_wrap.c' >--- monitor_wrap.c 2013-04-23 04:25:52 +0000 >+++ monitor_wrap.c 2013-05-17 21:32:25 +0000 >@@ -1207,6 +1207,32 @@ mm_audit_run_command(const char *command > #endif /* SSH_AUDIT_EVENTS */ > > #ifdef GSSAPI >+void >+mm_ssh_gssapi_supported_oids(gss_OID_set *oidset) >+{ >+ Buffer m; >+ gss_OID_set oids; >+ size_t i; >+ u_int len; >+ >+ buffer_init(&m); >+ >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSUPPORTEDOIDS, &m); >+ mm_request_receive_expect(pmonitor->m_recvfd, >+ MONITOR_ANS_GSSSUPPORTEDOIDS, &m); >+ >+ *oidset = xcalloc(1, sizeof(**oidset)); >+ oids = *oidset; >+ oids->count = buffer_get_int(&m); >+ oids->elements = xcalloc(oids->count, sizeof(*oids->elements)); >+ for (i = 0; i < oids->count; i++) { >+ oids->elements[i].elements = buffer_get_string(&m, &len); >+ oids->elements[i].length = len; >+ } >+ >+ buffer_free(&m); >+} >+ > OM_uint32 > mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) > { > >=== modified file 'monitor_wrap.h' >--- monitor_wrap.h 2011-06-20 04:42:23 +0000 >+++ monitor_wrap.h 2013-05-17 21:32:25 +0000 >@@ -55,6 +55,7 @@ int mm_auth_rsa_verify_response(Key *, B > BIGNUM *mm_auth_rsa_generate_challenge(Key *); > > #ifdef GSSAPI >+void mm_ssh_gssapi_supported_oids(gss_OID_set *); > OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); > OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, > gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); > >=== modified file 'regress/connect-privsep.sh' >--- regress/connect-privsep.sh 2012-07-02 14:53:18 +0000 >+++ regress/connect-privsep.sh 2013-05-17 21:32:25 +0000 >@@ -24,6 +24,23 @@ for p in 1 2; do > fi > done > >+cp $OBJ/ssh_proxy $OBJ/ssh_proxy.orig >+cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig >+echo 'GSSAPIAuthentication yes' >> $OBJ/ssh_proxy >+echo 'GSSAPIAuthentication yes' >> $OBJ/sshd_proxy >+ >+for p in 1 2; do >+ ${SSH} -vvv -$p -F $OBJ/ssh_proxy 999.999.999.999 true >+ if [ $? -ne 0 ]; then >+ # XXX replace this with fail once sandbox has stabilised >+ warn "ssh privsep/sandbox+proxyconnect+gssapiauth protocol $p failed" >+ fi >+done >+exit 0 >+ >+cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy >+cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy >+ > # Because sandbox is sensitive to changes in libc, especially malloc, retest > # with every malloc.conf option (and none). > for m in '' A F G H J P R S X Z '<' '>'; do >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2273">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2107
: 2273 |
2406
|
3168