Attachment #2827 for bug #2584

Lines 962-967 Link Here

(-)orig/config.h.in (+3 lines)
962	/* Define to 1 if you have the `setpcred' function. */	962	/* Define to 1 if you have the `setpcred' function. */
963	#undef HAVE_SETPCRED	963	#undef HAVE_SETPCRED
964		964
		965	/* Define to 1 if you have the `setpflags' function. */
		966	#undef HAVE_SETPFLAGS
		967
965	/* Define to 1 if you have the `setppriv' function. */	968	/* Define to 1 if you have the `setppriv' function. */
966	#undef HAVE_SETPPRIV	969	#undef HAVE_SETPPRIV
967		970

Lines 899-904 Link Here

(-)orig/configure.ac (+2 lines)
899	else	899	else
900	AC_MSG_RESULT([no])	900	AC_MSG_RESULT([no])
901	fi	901	fi
		902
		903	AC_CHECK_FUNCS([setpflags])
902	AC_CHECK_FUNCS([setppriv])	904	AC_CHECK_FUNCS([setppriv])
903	AC_CHECK_FUNCS([priv_basicset])	905	AC_CHECK_FUNCS([priv_basicset])
904	AC_CHECK_HEADERS([priv.h])	906	AC_CHECK_HEADERS([priv.h])

Lines 32-37 Link Here

(-)orig/sftp-server.c (+9 lines)
32	#ifdef HAVE_SYS_PRCTL_H	32	#ifdef HAVE_SYS_PRCTL_H
33	#include <sys/prctl.h>	33	#include <sys/prctl.h>
34	#endif	34	#endif
		35	#ifdef HAVE_PRIV_H
		36	#include <priv.h> /* For setpflags() and __PROC_PROTECT */
		37	#endif
35		38
36	#include <dirent.h>	39	#include <dirent.h>
37	#include <errno.h>	40	#include <errno.h>
Lines 1588-1593 Link Here
1588		1591
1589	log_init(__progname, log_level, log_facility, log_stderr);	1592	log_init(__progname, log_level, log_facility, log_stderr);
1590		1593
		1594	#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
		1595	/* On Solaris, we should make this process untraceable */
		1596	if (setpflags(__PROC_PROTECT, 1) != 0)
		1597	fatal("unable to make the process untraceable");
		1598	#else
1591	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)	1599	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
1592	/*	1600	/*
1593	* On Linux, we should try to avoid making /proc/self/{mem,maps}	1601	* On Linux, we should try to avoid making /proc/self/{mem,maps}
Lines 1598-1603 Link Here
1598	if (prctl(PR_SET_DUMPABLE, 0) != 0)	1606	if (prctl(PR_SET_DUMPABLE, 0) != 0)
1599	fatal("unable to make the process undumpable");	1607	fatal("unable to make the process undumpable");
1600	#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */	1608	#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
		1609	#endif
1601		1610
1602	/* Drop any fine-grained privileges we don't need */	1611	/* Drop any fine-grained privileges we don't need */
1603	platform_pledge_sftp_server();	1612	platform_pledge_sftp_server();

Lines 92-97 Link Here

(-)orig/ssh-agent.c (+10 lines)
92	#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */	92	#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
93	#endif	93	#endif
94		94
		95	#if defined(HAVE_PRIV_H)
		96	#include <priv.h> /* For setpflags() and __PROC_PROTECT */
		97	#endif
		98
95	typedef enum {	99	typedef enum {
96	AUTH_UNUSED,	100	AUTH_UNUSED,
97	AUTH_SOCKET,	101	AUTH_SOCKET,
Lines 1208-1217 Link Here
1208	setegid(getgid());	1212	setegid(getgid());
1209	setgid(getgid());	1213	setgid(getgid());
1210		1214
		1215	#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
		1216	/* make it untraceable on Solaris */
		1217	(void) setpflags(__PROC_PROTECT, 1);
		1218
		1219	#else
1211	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)	1220	#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
1212	/* Disable ptrace on Linux without sgid bit */	1221	/* Disable ptrace on Linux without sgid bit */
1213	prctl(PR_SET_DUMPABLE, 0);	1222	prctl(PR_SET_DUMPABLE, 0);
1214	#endif	1223	#endif
		1224	#endif
1215		1225
1216	#ifdef WITH_OPENSSL	1226	#ifdef WITH_OPENSSL
1217	OpenSSL_add_all_algorithms();	1227	OpenSSL_add_all_algorithms();

Return to bug 2584