Attachment #2857 for bug #2600

View | Details | Raw Unified | Return to bug 2600
Collapse All | Expand All




		[Define if you want to specify the path to your lastlog file])
fi

AC_ARG_WITH(libcap-ng,
	[  --with-libcap-ng=[auto/yes/no]  Add Libcap-ng support [default=auto]],,
	with_libcap_ng=auto)

dnl libcap-ng detection
if test x$with_libcap_ng = xno ; then
	have_libcap_ng=no;
else
	# Start by checking for header file
	AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)

	# See if we have libcap-ng library
	AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)

	# Check results are usable
	if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
	AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
	fi
	if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
	AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
	fi
fi
AC_MSG_CHECKING(whether to use libcap-ng)
if test x$CAPNG_LDADD != x ; then
	AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
	SSHDLIBS="$SSHDLIBS -lcap-ng"
	AC_MSG_RESULT(yes)
else
	AC_MSG_RESULT(no)
fi

dnl utmp detection
AC_MSG_CHECKING([if your system defines UTMP_FILE])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[

Lines 96-101 Link Here

(-)a/session.c (-4 / +23 lines)
96	#include "monitor_wrap.h"	96	#include "monitor_wrap.h"
97	#include "sftp.h"	97	#include "sftp.h"
98		98
		99	#ifdef HAVE_LIBCAP_NG
		100	#include <cap-ng.h>
		101	#endif
		102
99	#if defined(KRB5) && defined(USE_AFS)	103	#if defined(KRB5) && defined(USE_AFS)
100	#include <kafs.h>	104	#include <kafs.h>
101	#endif	105	#endif
Lines 1520-1525 void Link Here
1520	do_setusercontext(struct passwd *pw)	1524	do_setusercontext(struct passwd *pw)
1521	{	1525	{
1522	char chroot_path, tmp;	1526	char chroot_path, tmp;
		1527	int dropped_suid = -1;
1523		1528
1524	platform_setusercontext(pw);	1529	platform_setusercontext(pw);
1525		1530
Lines 1549-1559 do_setusercontext(struct passwd *pw) Link Here
1549		1554
1550	if (!in_chroot && options.chroot_directory != NULL &&	1555	if (!in_chroot && options.chroot_directory != NULL &&
1551	strcasecmp(options.chroot_directory, "none") != 0) {	1556	strcasecmp(options.chroot_directory, "none") != 0) {
1552	tmp = tilde_expand_filename(options.chroot_directory,	1557	tmp = tilde_expand_filename(options.chroot_directory,
1553	pw->pw_uid);	1558	pw->pw_uid);
1554	chroot_path = percent_expand(tmp, "h", pw->pw_dir,	1559	chroot_path = percent_expand(tmp, "h", pw->pw_dir,
1555	"u", pw->pw_name, (char *)NULL);	1560	"u", pw->pw_name, (char *)NULL);
		1561	#ifdef HAVE_LIBCAP_NG
		1562	/* drop suid soon, retain SYS_CHROOT capability */
		1563	capng_clear(CAPNG_SELECT_BOTH);
		1564	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE\|CAPNG_PERMITTED, CAP_SYS_CHROOT);
		1565	if (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP \| CAPNG_CLEAR_BOUNDING))
		1566	logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
		1567	#endif
1556	safely_chroot(chroot_path, pw->pw_uid);	1568	safely_chroot(chroot_path, pw->pw_uid);
		1569	#ifdef HAVE_LIBCAP_NG
		1570	/* Drop chroot capability. Already used */
		1571	if (dropped_suid == 0) {
		1572	capng_clear(CAPNG_SELECT_BOTH);
		1573	capng_apply(CAPNG_SELECT_BOTH);
		1574	}
		1575	#endif
1557	free(tmp);	1576	free(tmp);
1558	free(chroot_path);	1577	free(chroot_path);
1559	/* Make sure we don't attempt to chroot again */	1578	/* Make sure we don't attempt to chroot again */
Lines 1585-1592 do_setusercontext(struct passwd *pw) Link Here
1585	if (!in_chroot && set_id(pw->pw_name) != 0)	1604	if (!in_chroot && set_id(pw->pw_name) != 0)
1586	fatal("set_id(%s) Failed", pw->pw_name);	1605	fatal("set_id(%s) Failed", pw->pw_name);
1587	# endif /* USE_LIBIAF */	1606	# endif /* USE_LIBIAF */
1588	/* Permanently switch to the desired uid. */	1607	/* Permanently switch to the desired uid if not yet done. */
1589	permanently_set_uid(pw);	1608	if (dropped_suid != 0)
		1609	permanently_set_uid(pw);
1590	#endif	1610	#endif
1591	} else if (options.chroot_directory != NULL &&	1611	} else if (options.chroot_directory != NULL &&
1592	strcasecmp(options.chroot_directory, "none") != 0) {	1612	strcasecmp(options.chroot_directory, "none") != 0) {
1593	-

Return to bug 2600

Lines 4845-4850 if test -n "$conf_lastlog_location"; then Link Here

(-)a/configure.ac (+31 lines)
4845	[Define if you want to specify the path to your lastlog file])	4845	[Define if you want to specify the path to your lastlog file])
4846	fi	4846	fi
4847		4847
		4848	AC_ARG_WITH(libcap-ng,
		4849	[ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],,
		4850	with_libcap_ng=auto)
		4851
		4852	dnl libcap-ng detection
		4853	if test x$with_libcap_ng = xno ; then
		4854	have_libcap_ng=no;
		4855	else
		4856	# Start by checking for header file
		4857	AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
		4858
		4859	# See if we have libcap-ng library
		4860	AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)
		4861
		4862	# Check results are usable
		4863	if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
		4864	AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
		4865	fi
		4866	if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
		4867	AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
		4868	fi
		4869	fi
		4870	AC_MSG_CHECKING(whether to use libcap-ng)
		4871	if test x$CAPNG_LDADD != x ; then
		4872	AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
		4873	SSHDLIBS="$SSHDLIBS -lcap-ng"
		4874	AC_MSG_RESULT(yes)
		4875	else
		4876	AC_MSG_RESULT(no)
		4877	fi
		4878
4848	dnl utmp detection	4879	dnl utmp detection
4849	AC_MSG_CHECKING([if your system defines UTMP_FILE])	4880	AC_MSG_CHECKING([if your system defines UTMP_FILE])
4850	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[	4881	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[