Created attachment 1420 [details] SACL support for sshd on Mac OS X. Attached is a patch for building OpenSSH 4.7p1 on Mac OS X. This patch adds SACL support to ssh for Mac OS X.
I have no objection to adding support for this, but I think we would prefer not to add any (more) platform specific config options. Could it be enabled unconditionally? Regarding the patch, adding the code into the mainline means it will be an ongoing maintenance hassle. A preferable way to do it would be to use the existing sys_auth_allowed_user() hook (see openbsd-compat/port-aix.c for an example).
(In reply to comment #1) > I have no objection to adding support for this… Thank you > …I think we would > prefer not to add any (more) platform specific config options. Could > it be enabled unconditionally? Yes. This would not work for Panther (Mac OS X 10.3), but that's fine by me. > Regarding the patch, adding the code into the mainline means it will be > an ongoing maintenance hassle. A preferable way to do it would be to > use the existing sys_auth_allowed_user() hook (see > openbsd-compat/port-aix.c for an example). I will look into this. Thanks.
(In reply to comment #2) > (In reply to comment #1) > > …I think we would > > prefer not to add any (more) platform specific config options. Could > > it be enabled unconditionally? > > Yes. This would not work for Panther (Mac OS X 10.3), but that's fine > by me. Can the code be enabled based on the presence or not of mbr_check_service_membership() or similar? Or do those exist in the older versions too?
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > …I think we would > > > prefer not to add any (more) platform specific config options. Could > > > it be enabled unconditionally? > > > > Yes. This would not work for Panther (Mac OS X 10.3), but that's fine > > by me. > > Can the code be enabled based on the presence or not of > mbr_check_service_membership() or similar? Or do those exist in the > older versions too? Yes, checking for mbr_check_service_membership() should work just fine. No, mbr_check_service_membership() was introduced in Tiger (Mac OS X 10.4).
If you can get us a revised diff based on Darren's comments then we should be able to include this in openssh-5.2.
Created attachment 1598 [details] Updated patch to check for mbr_check_service_membership() for SACL support.
I think what Darren meant was to remove the SACLSupport option and always enable SACL support if the OS supports it. Would this work?
(In reply to comment #7) > I think what Darren meant was to remove the SACLSupport option and > always enable SACL support if the OS supports it. Would this work? No. It's likely that we'll be switching to enforcing SACLs via a PAM module. So, we'd probably prefer this patch not being taken at all over being on-by-default. Sorry for the trouble.
Thanks, closing this bug then.
Close bugs fixed/reviewed for openssh-5.2 release