Seems that this little pkgsrc patch (sshd-patch.c) is the culprit, am I
misreading that
privsep is disabled for all platforms except for interix? (this is in
joyent pkgsrc git and also in upstream pkgsrc)
@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
int startup_pipe; /* in child */
/* variables used for privilege separation */
+#ifdef HAVE_INTERIX
int use_privsep = -1;
+#else
+int use_privsep = 0;
+#endif
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
So it seems that:
-1 = PRIVSEP_NOSANDBOX
0 = PRIVSEP_OFF
this is strange in contrast to pkgsrc Makefile for openssh where privsep
gets enabled for anything NOT interix
"
.if ${OPSYS} != "Interix"
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q}
.endif
"
and
"
.else # not Interix
PKG_GROUPS= ${OPENSSH_GROUP}
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
.endif
"
###
cross referencing stock 7.0 openssh:
"servconf.h" line 40 of 254 --15%-- col 1
/* use_privsep */
#define PRIVSEP_OFF 0
#define PRIVSEP_ON 1
#define PRIVSEP_NOSANDBOX 2
"ssh_api.c" line 46 of 537 --8%-- col 2
/*
* stubs for the server side implementation of kex.
* disable privsep so our stubs will never be called.
*/
int use_privsep = 0;
"servconf.c" line 354 of 2345 --15%-- col 34-41
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
Thank you,
Jan
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
