------- Comment on attachment From [email protected] 2017-05-09 05:35 EDT-------
Here is a patch which enables the geteuid syscall in sshd sandbox on s390. Background: during initialization of the libica shared lib a system call to find the real user id is invoced. So when the by openssh required library chain comes into live (openssl - ibmca engine - libica) and it looks like the ibmca engine initialzation and so the libica initialization is now triggered somewhere later during running in the seccomp environment, this call was filtered out with signal 31 caused the authentification process to fail. Fixed by allowing the geteuid syscall within openssh's seccomp sandbox only for the s390 platform. Please note, this fix is on top of 3 other patches required: 0001-Fix-weakness-in-seccomp-bpf-sandbox-arg-inspection.patch 0002-support-ioctls-for-ICA-crypto-card-on-Linux-s390.patch 0003-Missing-header-on-Linux-s390.patch Please note also that the upstream patch will be different to this one as there has been some rework on the seccomp macros. I'll send the upstream patch to Eduardo dos Santos Barretto for contributing to openssh. regards H.Freudenberger ** Attachment added: "patch to enable geteuid syscall in sshd sandbox on s390" https://bugs.launchpad.net/bugs/1686618/+attachment/4873913/+files/0004-Add-geteuid-syscall-for-Linux-s390.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686618 Title: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1686618/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
