- (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use

getpeerucred to implement getpeereid (currently only Solaris 10 and up). Patch by Jan.Pechanec at Sun.
2007-03-21 21:39:57 +11:00 · 2007-03-21 21:39:57 +11:00 · 164aa30e46
parent 04354b97dc
commit 164aa30e46
3 changed files with 36 additions and 10 deletions
--- a/5
+++ b/5
@ -29,6 +29,9 @@
     - sort FILES
     - +.Xr ssh-keyscan 1 ,
     from Igor Sobrado
+ - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
+   getpeerucred to implement getpeereid (currently only Solaris 10 and up).
+   Patch by Jan.Pechanec at Sun.

 20070313
 - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
@ -2858,4 +2861,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4645 2007/03/21 09:46:54 dtucker Exp $
+$Id: ChangeLog,v 1.4646 2007/03/21 10:39:57 dtucker Exp $
--- a/configure.ac
+++ b/configure.ac
@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
+# $Id: configure.ac,v 1.373 2007/03/21 10:39:57 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.372 $)
+AC_REVISION($Revision: 1.373 $)
 AC_CONFIG_SRCDIR([ssh.c])

 AC_CONFIG_HEADER(config.h)
@ -1241,6 +1241,7 @@ AC_CHECK_FUNCS( \
 	getnameinfo \
 	getopt \
 	getpeereid \
+	getpeerucred \
 	_getpty \
 	getrlimit \
 	getttyent \
@ -1489,7 +1490,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>

 # Check for missing getpeereid (or equiv) support
 NO_PEERCHECK=""
-if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
 	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
 	AC_TRY_COMPILE(
 		[#include <sys/types.h>
@ -4030,12 +4031,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
 fi

 if test ! -z "$NO_PEERCHECK" ; then
-	echo "WARNING: the operating system that you are using does not "
-	echo "appear to support either the getpeereid() API nor the "
-	echo "SO_PEERCRED getsockopt() option. These facilities are used to "
-	echo "enforce security checks to prevent unauthorised connections to "
-	echo "ssh-agent. Their absence increases the risk that a malicious "
-	echo "user can connect to your agent. "
+	echo "WARNING: the operating system that you are using does not"
+	echo "appear to support getpeereid(), getpeerucred() or the"
+	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
+	echo "enforce security checks to prevent unauthorised connections to"
+	echo "ssh-agent. Their absence increases the risk that a malicious"
+	echo "user can connect to your agent."
 	echo ""
 fi

--- a/openbsd-compat/bsd-getpeereid.c
+++ b/openbsd-compat/bsd-getpeereid.c
@ -37,6 +37,28 @@ getpeereid(int s, uid_t *euid, gid_t *gid)

 	return (0);
 }
+#elif defined(HAVE_GETPEERUCRED)
+
+#ifdef HAVE_UCRED_H
+# include <ucred.h>
+#endif
+
+int
+getpeereid(int s, uid_t *euid, gid_t *gid)
+{
+	ucred_t *ucred = NULL;
+
+	if (getpeerucred(s, &ucred) == -1)
+		return (-1);
+	if ((*euid = ucred_geteuid(ucred)) == -1)
+		return (-1);
+	if ((*gid = ucred_getrgid(ucred)) == -1)
+		return (-1);
+
+	ucred_free(ucred);
+
+	return (0);
+}
 #else
 int
 getpeereid(int s, uid_t *euid, gid_t *gid)