Move the checks for struct pollfd.fd and nfds_t to before the sandboxing
checks. This groups all the sandbox checks together so we can skip them
all when sandboxing is disabled.
On most systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we can't
run the test. bz#3398.
POSIX specifies that poll() shall fail if "nfds argument is greater
than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
so this causes poll() to fail in the preauth privsep process.
This is likely the underlying cause for the previously observed similar
behaviour of select() on plaforms where it is implement in userspace on
top of poll().
of manually hashing data outselves. Saves a fair bit of code and makes life
easier for some -portable platforms.
OpenBSD-Commit-ID: 351dfaaa5ab1ee928c0e623041fca28078cff0e0
Darwin's poll(2) implementation is broken. For character-special
devices like /dev/null, it returns POLLNVAL when polled with
POLLIN.
Apparently this is Apple bug 3710161, which is AFAIK not public,
but a websearch will find other OSS projects rediscovering it
periodically since it was first identified in 2005 (!!)
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
glibc's closefrom implementation does not work in a chroot when the kernel
does not have close_range. It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call close_range
ourselves from our compat code and fall back if that fails. bz#3349,
with william.wilson at canonical.com and fweimer at redhat.com.
HP-UX 10.x has a getline() implementation in libc that does not behave
as we expect so don't use it. With correction from Thorsten Glaser and
typo fix from Larkin Nickle.
Users of MD5-hashed password should arrange for ./configure to link
against libxcrypt or similar. Though it would be better to avoid use
of MD5 password hashing entirely, it's arguably worse than DEScrypt.
feedback and ok dtucker@
Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for. These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively. ok djm@
Placed at the start of platform_disable_tracing() to prevent declaration
after code errors from strict C89 compilers (in the unlikely event that
more than one method is enabled).
Should fix printing cert times exceeding INT_MAX (bz#3329) on platforms
were time_t is a long long. The limit used is for the signed type, so if
some system has a 32bit unsigned time_t then the lower limit will still
be imposed and we would need to add some way to detect this. Anyone using
an unsigned 64bit can let us know when it starts being a problem.
This is basically the existing notify_pipe kludge from serverloop.c
moved behind a pselect interface. It works by installing a signal
handler that writes to a pipe that the select is watching, then calls
the original handler.
The select call in serverloop will become pselect soon, at which point the
kludge will be removed from thereand will only exist in the compat layer.
Original code by markus, help from djm.
Some Linux distributions are shipping the BSD-style hashing functions
(e.g. SHA256Update) in libbsd and/or libmd. Detect this situation to
avoid header/replacement clashes later. ok dtucker@
FreeBSD has login_getpwclass() that does some special magic for
UID=0. Prefer this to login_getclass() as its easier to emulate
the former with the latter.
Based on FreeBSD PR 37416 via Ed Maste; ok dtucker@
The sntrup761 code sourced from supercop uses variable length
arrays. Although widely supported, they are not part of the ANSI
C89 spec so if the compiler does not support VLAs, disable the
sntrup761x25519-sha512@openssh.com KEX method by replacing the kex
functions with no-op ones similar to what we do in kexecdh.c.
This should allow OpenSSH to build with a plain C89 compiler again.
Spotted by tim@, ok djm@.
It was only set by the recently removed AC_HEADER_TIME macro, replace
with simple inclusions of both sys/time.h and time.h. Should prevent
mis-detection of struct timespec.
Darren Tucker
Damien Miller
Tim Rice
djm@openbsd.org
David Carlier
John Ericson