- (djm) [configure.ac] Warn if the system has no known way of figuring out

which user is on the other end of a Unix domain socket; ok dtucker@
author: Damien Miller <djm@mindrot.org> 2004-05-23 14:09:40 +1000
committer: Damien Miller <djm@mindrot.org> 2004-05-23 14:09:40 +1000
commit: b409718797da73ac4ee2de422d894297b2c2d8f7 (patch)
tree: 6fa87e4af301a1c498d10e8ca873b2982e746fa3
parent: 701d0514ee3ffc5e8fde36bb0559709490407053 (diff)
2 files changed, 30 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 879eb2b02..fa74e8841 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 20040523
- - (djm) Explain consequences of UsePAM=yes a little better in sshd_config;
+ - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 
-   ok dtucker@
+   sshd_config; ok dtucker@
+ - (djm) [configure.ac] Warn if the system has no known way of figuring out 
+   which user is on the other end of a Unix domain socket; ok dtucker@
 20040513
 - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in
@@ -1122,4 +1124,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3356 2004/05/23 01:47:58 djm Exp $
+$Id: ChangeLog,v 1.3357 2004/05/23 04:09:40 djm Exp $
diff --git a/configure.ac b/configure.ac
index 850205cc7..76ac0e06c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.217 2004/05/13 01:56:17 dtucker Exp $
+# $Id: configure.ac,v 1.218 2004/05/23 04:09:40 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -926,6 +926,20 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
        )
 fi
+# Check for missing getpeereid (or equiv) support
+NO_PEERCHECK=""
+if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+        AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
+        AC_TRY_COMPILE(
+                [#include <sys/types.h>
+                 #include <sys/socket.h>],
+                [int i = SO_PEERCRED;],
+                [AC_MSG_RESULT(yes)],
+                [AC_MSG_RESULT(no)
+                NO_PEERCHECK=1]
+        )
+fi
 dnl see whether mkstemp() requires XXXXXX
 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
 AC_MSG_CHECKING([for (overly) strict mkstemp])
@@ -2975,3 +2989,13 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
        echo ""
 fi
+if test ! -z "$NO_PEERCHECK" ; then
+        echo "WARNING: the operating system that you are using does not "
+        echo "appear to support either the getpeereid() API nor the "
+        echo "SO_PEERCRED getsockopt() option. These facilities are used to "
+        echo "enforce security checks to prevent unauthorised connections to "
+        echo "ssh-agent. Their absence increases the risk that a malicious "
+        echo "user can connect to your agent. "
+        echo ""
+fi
author	Damien Miller <djm@mindrot.org>	2004-05-23 14:09:40 +1000
committer	Damien Miller <djm@mindrot.org>	2004-05-23 14:09:40 +1000
commit	b409718797da73ac4ee2de422d894297b2c2d8f7 (patch)
tree	6fa87e4af301a1c498d10e8ca873b2982e746fa3
parent	701d0514ee3ffc5e8fde36bb0559709490407053 (diff)

diff --git a/ChangeLog b/ChangeLog index 879eb2b02..fa74e8841 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,6 +1,8 @@
1	20040523	1	20040523
2	- (djm) Explain consequences of UsePAM=yes a little better in sshd_config;	2	- (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
3	ok dtucker@	3	sshd_config; ok dtucker@
		4	- (djm) [configure.ac] Warn if the system has no known way of figuring out
		5	which user is on the other end of a Unix domain socket; ok dtucker@
4		6
5	20040513	7	20040513
6	- (dtucker) [configure.ac] Bug #867: Additional tests for res_query in	8	- (dtucker) [configure.ac] Bug #867: Additional tests for res_query in
@@ -1122,4 +1124,4 @@
1122	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	1124	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
1123	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	1125	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1124		1126
1125	$Id: ChangeLog,v 1.3356 2004/05/23 01:47:58 djm Exp $	1127	$Id: ChangeLog,v 1.3357 2004/05/23 04:09:40 djm Exp $


diff --git a/configure.ac b/configure.ac index 850205cc7..76ac0e06c 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.217 2004/05/13 01:56:17 dtucker Exp $	1	# $Id: configure.ac,v 1.218 2004/05/23 04:09:40 djm Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -926,6 +926,20 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
926	)	926	)
927	fi	927	fi
928		928
		929	# Check for missing getpeereid (or equiv) support
		930	NO_PEERCHECK=""
		931	if test "x$ac_cv_func_getpeereid" != "xyes" ; then
		932	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
		933	AC_TRY_COMPILE(
		934	[#include <sys/types.h>
		935	#include <sys/socket.h>],
		936	[int i = SO_PEERCRED;],
		937	[AC_MSG_RESULT(yes)],
		938	[AC_MSG_RESULT(no)
		939	NO_PEERCHECK=1]
		940	)
		941	fi
		942
929	dnl see whether mkstemp() requires XXXXXX	943	dnl see whether mkstemp() requires XXXXXX
930	if test "x$ac_cv_func_mkdtemp" = "xyes" ; then	944	if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
931	AC_MSG_CHECKING([for (overly) strict mkstemp])	945	AC_MSG_CHECKING([for (overly) strict mkstemp])
@@ -2975,3 +2989,13 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
2975	echo ""	2989	echo ""
2976	fi	2990	fi
2977		2991
		2992	if test ! -z "$NO_PEERCHECK" ; then
		2993	echo "WARNING: the operating system that you are using does not "
		2994	echo "appear to support either the getpeereid() API nor the "
		2995	echo "SO_PEERCRED getsockopt() option. These facilities are used to "
		2996	echo "enforce security checks to prevent unauthorised connections to "
		2997	echo "ssh-agent. Their absence increases the risk that a malicious "
		2998	echo "user can connect to your agent. "
		2999	echo ""
		3000	fi
		3001