upstream: Avoid an unnecessary xstrdup in rm_env() when matching
patterns. Since match_pattern() doesn't modify its arguments (they are
const), there is no need to make an extra copy of the strings in
options->send_env. From Martin Vahlensieck
Since we no longer need to support SSH1 we don't need to run shell
commands on the other end of the connection and can use ssh -N instead.
This also makes the test less racy.
upstream: Try to continue running local I/O for channels in state
OPEN during SSH transport rekeying. The most visible benefit is that it
should make ~-escapes work in the client (e.g. to exit) if the connection
happened to have stalled during a rekey event. Based work by and ok dtucker@
It turns out that the checked-in copies of these files are actually newer
than autoconf-2.71's copies, so this was effectively a downgrade.
Spotted by Bo Anderson via github
Darren Tucker [Mon, 4 Apr 2022 05:16:51 +0000 (15:16 +1000)]
Specify TEST_SHELL=bash on AIX.
The system shells cause the agent-restrict test to fail due to some
quoting so explicitly specify bash until we can get configure to
autmatically work around that.
Darren Tucker [Fri, 1 Apr 2022 12:38:44 +0000 (23:38 +1100)]
Only return events from ppoll that were requested.
If the underlying system's select() returns bits that were not in the
request set, our ppoll() implementation can return revents for events
not requested, which can apparently cause a hang. Only return revents
for activity in the requested event set. bz#3416, analysis and fix by
yaroslav.kuzmin at vmssoftware com, ok djm@
Darren Tucker [Fri, 1 Apr 2022 03:56:54 +0000 (14:56 +1100)]
Set Makefile SHELL as determined by configure.
This should improve compatibility for users with non-POSIX shells. If
using Makefile.in directly (eg make -f Makefile.in distprep) then SHELL
will need to be specified on the command line (along with MANFMT in that
particular case). ok djm@
Darren Tucker [Sat, 26 Mar 2022 01:49:50 +0000 (12:49 +1100)]
Factor out platform-specific locked account check.
Also fixes an incorrect free on platforms with both libiaf and shadow
passwords (probably only Unixware). Prompted by github PR#284,
originally from @c3h2_ctf and stoeckmann@.
djm@openbsd.org [Fri, 18 Mar 2022 04:04:11 +0000 (04:04 +0000)]
upstream: don't try to resolve ListenAddress directives in the sshd
re-exec path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by Aaron
Poffenberger; with / ok dtucker@
Copying the given string into the buffer with strlcpy(3) confers no
benefit in this context because we have already determined the
string's length with strlen(3) in order to allocate that buffer.
Darren Tucker [Tue, 8 Mar 2022 09:04:06 +0000 (20:04 +1100)]
Default to not using sandbox when cross compiling.
On most systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we can't
run the test. bz#3398.
Darren Tucker [Mon, 28 Feb 2022 11:21:36 +0000 (22:21 +1100)]
No unused param warnings for clang-12 and gcc-11.
These have too many false positives in -Werror tests on the github CI
since we often provide empty stub functions for functionality not needed
for particular configurations.
Darren Tucker [Sat, 26 Feb 2022 03:06:14 +0000 (14:06 +1100)]
Allow ppoll_time64 in seccomp sandbox.
Should fix sandbox violations on (some? at least i386 and armhf) 32bit
Linux platforms. Patch from chutzpahu at gentoo.org and cjwatson at
debian.org via bz#3396.
Darren Tucker [Tue, 22 Feb 2022 04:29:22 +0000 (15:29 +1100)]
Extend select+rlimit sanbox test to include poll.
POSIX specifies that poll() shall fail if "nfds argument is greater
than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
so this causes poll() to fail in the preauth privsep process.
This is likely the underlying cause for the previously observed similar
behaviour of select() on plaforms where it is implement in userspace on
top of poll().
Darren Tucker [Fri, 11 Feb 2022 10:00:35 +0000 (21:00 +1100)]
Move SSHD_ACQUIRES_CTTY workaround into compat.
On some (most? all?) SysV based systems with STREAMS based ptys,
sshd could acquire a controlling terminal during pty setup when
it pushed the "ptem" module, due to what is probably a bug in
the STREAMS driver that's old enough to vote. Because it was the
privileged sshd's controlling terminal, it was not available for
the user's session, which ended up without one. This is known to
affect at least Solaris <=10, derivatives such as OpenIndiana and
several other SysV systems. See bz#245 for the backstory.
In the we past worked around that by not calling setsid in the
privileged sshd child, which meant it was not a session or process
group leader. This solved controlling terminal problem because sshd
was not eligble to acquire one, but had other side effects such as
not cleaning up helper subprocesses in the SIGALRM handler since it
was not PG leader. Recent cleanups in the signal handler uncovered
this, resulting in the LoginGraceTime timer not cleaning up privsep
unprivileged processes.
This change moves the workaround into the STREAMS pty allocation code,
by allocating a sacrificial pty to act as sshd's controlling terminal
before allocating user ptys, so those are still available for users'
sessions.
On the down side:
- this will waste a pty per ssh connection on affected platforms.
On the up side:
- it makes the process group behaviour consistent between platforms.
- it puts the workaround nearest the code that actually causes the
problem and competely out of the mainline code.
- the workaround is only activated if you use the STREAMS code. If,
say, Solaris 11 has the bug but also a working openpty() it doesn't
matter that we defined SSHD_ACQUIRES_CTTY.
- the workaround is only activated when the fist pty is allocated,
ie in the post-auth privsep monitor. This means there's no risk
of fd leaks to the unprivileged processes, and there's no effect on
sessions that do not allocate a pty.
projects / thirdparty / openssh-portable.git / log
