tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Solaris: prefer PRIV_XPOLICY to PRIV_LIMIT 

If the system support PRIV_XPOLICY and one is set, then don't
modify PRIV_LIMIT. bz2833, patch from Ron Jordan, ok dtucker@
This commit is contained in:
Damien Miller 2023-10-12 13:20:01 +11:00
parent 98fc34df83
commit 281c79168e
No known key found for this signature in database
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
openbsd-compat/port-solaris.c
View File

@ -292,13 +292,35 @@ solaris_drop_privs_pinfo_net_fork_exec(void)
priv_delset(npset, PRIV_PROC_SESSION) != 0)
fatal("priv_delset: %s", strerror(errno));
#ifdef PRIV_XPOLICY
/*
* It is possible that the user has an extended policy
* in place; the LIMIT set restricts the extended policy
* and so should not be restricted.
* PRIV_XPOLICY is newly defined in Solaris 11 though the extended
* policy was not implemented until Solaris 11.1.
*/
if (getpflags(PRIV_XPOLICY) == 1) {
if (getppriv(PRIV_LIMIT, pset) != 0)
fatal("getppriv: %s", strerror(errno));
priv_intersect(pset, npset);
if (setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0)
fatal("setppriv: %s", strerror(errno));
} else
#endif
{
/* Cannot exec, so we can kill the limit set. */
priv_emptyset(pset);
if (setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0)
fatal("setppriv: %s", strerror(errno));
}
if (getppriv(PRIV_PERMITTED, pset) != 0)
fatal("getppriv: %s", strerror(errno));
priv_intersect(pset, npset);
if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 ||
setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 ||
setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0)
fatal("setppriv: %s", strerror(errno));