summaryrefslogtreecommitdiff
path: root/configure
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2012-09-07 00:20:47 +0100
committerColin Watson <cjwatson@debian.org>2012-09-07 00:20:47 +0100
commiteab78da6a54225de06271d9c8da650f04a55ed88 (patch)
treeaa258ca77515939f6d89317ff67fbcb0bca08b24 /configure
parenta26f5de49df59322fde07f7be91b3e3969c9c238 (diff)
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
* New upstream release (http://www.openssh.com/txt/release-6.1).
- Enable pre-auth sandboxing by default for new installs. - Allow "PermitOpen none" to refuse all port-forwarding requests (closes: #543683).
Diffstat (limited to 'configure')
-rwxr-xr-xconfigure205
1 files changed, 177 insertions, 28 deletions
diff --git a/configure b/configure
index dc98069c8..5e473371d 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.489 . 2# From configure.ac Revision: 1.496 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -5598,6 +5598,48 @@ if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then :
5598fi 5598fi
5599 5599
5600fi 5600fi
5601if test "x$have_seccomp_filter" = "x1" ; then
5602{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
5603$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
5604if test "$cross_compiling" = yes; then :
5605 { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5
5606$as_echo "cross-compiling, assuming yes" >&6; }
5607
5608else
5609 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5610/* end confdefs.h. */
5611
5612 #include <errno.h>
5613 #include <linux/seccomp.h>
5614 #include <stdlib.h>
5615 #include <sys/prctl.h>
5616
5617int
5618main ()
5619{
5620 errno = 0;
5621 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
5622 exit(errno == EFAULT ? 0 : 1);
5623 ;
5624 return 0;
5625}
5626_ACEOF
5627if ac_fn_c_try_run "$LINENO"; then :
5628 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5629$as_echo "yes" >&6; }
5630else
5631
5632 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5633$as_echo "no" >&6; }
5634 # Disable seccomp filter as a target
5635 have_seccomp_filter=0
5636
5637fi
5638rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
5639 conftest.$ac_objext conftest.beam conftest.$ac_ext
5640fi
5641
5642fi
5601 5643
5602use_stack_protector=1 5644use_stack_protector=1
5603 5645
@@ -6942,7 +6984,8 @@ $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
6942 for ac_header in linux/seccomp.h linux/filter.h linux/audit.h 6984 for ac_header in linux/seccomp.h linux/filter.h linux/audit.h
6943do : 6985do :
6944 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` 6986 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
6945ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" 6987ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include <linux/types.h>
6988"
6946if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : 6989if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
6947 cat >>confdefs.h <<_ACEOF 6990 cat >>confdefs.h <<_ACEOF
6948#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 6991#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -9571,6 +9614,7 @@ for ac_func in \
9571 seteuid \ 9614 seteuid \
9572 setgroupent \ 9615 setgroupent \
9573 setgroups \ 9616 setgroups \
9617 setlinebuf \
9574 setlogin \ 9618 setlogin \
9575 setpassent\ 9619 setpassent\
9576 setpcred \ 9620 setpcred \
@@ -11856,28 +11900,128 @@ if test "${with_sandbox+set}" = set; then :
11856 11900
11857fi 11901fi
11858 11902
11859SANDBOX_STYLE="" 11903
11904# Some platforms (seems to be the ones that have a kernel poll(2)-type
11905# function with which they implement select(2)) use an extra file descriptor
11906# when calling select(2), which means we can't use the rlimit sandbox.
11907{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if select works with descriptor rlimit" >&5
11908$as_echo_n "checking if select works with descriptor rlimit... " >&6; }
11909if test "$cross_compiling" = yes; then :
11910 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
11911$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
11912
11913else
11914 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11915/* end confdefs.h. */
11916
11917#include <sys/types.h>
11918#ifdef HAVE_SYS_TIME_H
11919# include <sys/time.h>
11920#endif
11921#include <sys/resource.h>
11922#ifdef HAVE_SYS_SELECT_H
11923# include <sys/select.h>
11924#endif
11925#include <errno.h>
11926#include <fcntl.h>
11927#include <stdlib.h>
11928
11929int
11930main ()
11931{
11932
11933 struct rlimit rl_zero;
11934 int fd, r;
11935 fd_set fds;
11936
11937 fd = open("/dev/null", O_RDONLY);
11938 FD_ZERO(&fds);
11939 FD_SET(fd, &fds);
11940 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
11941 setrlimit(RLIMIT_FSIZE, &rl_zero);
11942 setrlimit(RLIMIT_NOFILE, &rl_zero);
11943 r = select(fd+1, &fds, NULL, NULL, NULL);
11944 exit (r == -1 ? 1 : 0);
11945
11946 ;
11947 return 0;
11948}
11949_ACEOF
11950if ac_fn_c_try_run "$LINENO"; then :
11951 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11952$as_echo "yes" >&6; }
11953 select_works_with_rlimit=yes
11954else
11955 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11956$as_echo "no" >&6; }
11957 select_works_with_rlimit=no
11958fi
11959rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
11960 conftest.$ac_objext conftest.beam conftest.$ac_ext
11961fi
11962
11963
11964{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5
11965$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; }
11966if test "$cross_compiling" = yes; then :
11967 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
11968$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
11969
11970else
11971 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11972/* end confdefs.h. */
11973
11974#include <sys/types.h>
11975#include <sys/resource.h>
11976#include <stdlib.h>
11977
11978int
11979main ()
11980{
11981
11982 struct rlimit rl_zero;
11983
11984 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
11985 exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
11986
11987 ;
11988 return 0;
11989}
11990_ACEOF
11991if ac_fn_c_try_run "$LINENO"; then :
11992 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11993$as_echo "yes" >&6; }
11994else
11995 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11996$as_echo "no" >&6; }
11997
11998$as_echo "#define SANDBOX_SKIP_RLIMIT_FSIZE 1" >>confdefs.h
11999
12000fi
12001rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
12002 conftest.$ac_objext conftest.beam conftest.$ac_ext
12003fi
12004
12005
11860if test "x$sandbox_arg" = "xsystrace" || \ 12006if test "x$sandbox_arg" = "xsystrace" || \
11861 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then 12007 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
11862 test "x$have_systr_policy_kill" != "x1" && \ 12008 test "x$have_systr_policy_kill" != "x1" && \
11863 as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5 12009 as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5
11864 SANDBOX_STYLE="$SANDBOX_STYLE systrace" 12010 SANDBOX_STYLE="systrace"
11865 12011
11866$as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h 12012$as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h
11867 12013
11868fi 12014elif test "x$sandbox_arg" = "xdarwin" || \
11869if test "x$sandbox_arg" = "xdarwin" || \
11870 ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ 12015 ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
11871 test "x$ac_cv_header_sandbox_h" = "xyes") ; then 12016 test "x$ac_cv_header_sandbox_h" = "xyes") ; then
11872 test "x$ac_cv_func_sandbox_init" != "xyes" -o \ 12017 test "x$ac_cv_func_sandbox_init" != "xyes" -o \
11873 "x$ac_cv_header_sandbox_h" != "xyes" && \ 12018 "x$ac_cv_header_sandbox_h" != "xyes" && \
11874 as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5 12019 as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5
11875 SANDBOX_STYLE="$SANDBOX_STYLE darwin" 12020 SANDBOX_STYLE="darwin"
11876 12021
11877$as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h 12022$as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h
11878 12023
11879fi 12024elif test "x$sandbox_arg" = "xseccomp_filter" || \
11880if test "x$sandbox_arg" = "xseccomp_filter" || \
11881 ( test -z "$sandbox_arg" && \ 12025 ( test -z "$sandbox_arg" && \
11882 test "x$have_seccomp_filter" = "x1" && \ 12026 test "x$have_seccomp_filter" = "x1" && \
11883 test "x$ac_cv_header_linux_audit_h" = "xyes" && \ 12027 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
@@ -11892,28 +12036,30 @@ if test "x$sandbox_arg" = "xseccomp_filter" || \
11892 as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 12036 as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5
11893 test "x$ac_cv_func_prctl" != "xyes" && \ 12037 test "x$ac_cv_func_prctl" != "xyes" && \
11894 as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 12038 as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5
11895 SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter" 12039 SANDBOX_STYLE="seccomp_filter"
11896 12040
11897$as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h 12041$as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
11898 12042
11899fi 12043elif test "x$sandbox_arg" = "xrlimit" || \
11900if test "x$sandbox_arg" = "xrlimit" || \ 12044 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
11901 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then 12045 test "x$select_works_with_rlimit" == "xyes" ) ; then
11902 test "x$ac_cv_func_setrlimit" != "xyes" && \ 12046 test "x$ac_cv_func_setrlimit" != "xyes" && \
11903 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 12047 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5
11904 SANDBOX_STYLE="$SANDBOX_STYLE rlimit" 12048 test "x$select_works_with_rlimit" != "xyes" && \
12049 as_fn_error $? "rlimit sandbox requires select to work with rlimit" "$LINENO" 5
12050 SANDBOX_STYLE="rlimit"
11905 12051
11906$as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h 12052$as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h
11907 12053
11908fi 12054elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
11909if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
11910 test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then 12055 test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
11911 SANDBOX_STYLE="$SANDBOX_STYLE none" 12056 SANDBOX_STYLE="none"
11912fi 12057
11913if test -z "$SANDBOX_STYLE" ; then 12058$as_echo "#define SANDBOX_NULL 1" >>confdefs.h
12059
12060else
11914 as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5 12061 as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5
11915fi 12062fi
11916SANDBOX_STYLE="${SANDBOX_STYLE# }"
11917 12063
11918# Cheap hack to ensure NEWS-OS libraries are arranged right. 12064# Cheap hack to ensure NEWS-OS libraries are arranged right.
11919if test ! -z "$SONY" ; then 12065if test ! -z "$SONY" ; then
@@ -14194,7 +14340,7 @@ $as_echo_n "checking if struct statvfs.f_fsid is integral type... " >&6; }
14194cat confdefs.h - <<_ACEOF >conftest.$ac_ext 14340cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14195/* end confdefs.h. */ 14341/* end confdefs.h. */
14196 14342
14197#include <sys/types.h> 14343#include <sys/param.h>
14198#include <sys/stat.h> 14344#include <sys/stat.h>
14199#ifdef HAVE_SYS_TIME_H 14345#ifdef HAVE_SYS_TIME_H
14200# include <sys/time.h> 14346# include <sys/time.h>
@@ -16153,13 +16299,16 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
16153fi 16299fi
16154 16300
16155# make sure $bindir is in USER_PATH so scp will work 16301# make sure $bindir is in USER_PATH so scp will work
16156 t_bindir=`eval echo ${bindir}` 16302 t_bindir="${bindir}"
16157 case $t_bindir in 16303 while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
16158 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; 16304 t_bindir=`eval echo ${t_bindir}`
16159 esac 16305 case $t_bindir in
16160 case $t_bindir in 16306 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
16161 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; 16307 esac
16162 esac 16308 case $t_bindir in
16309 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
16310 esac
16311 done
16163 echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 16312 echo $user_path | grep ":$t_bindir" > /dev/null 2>&1
16164 if test $? -ne 0 ; then 16313 if test $? -ne 0 ; then
16165 echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 16314 echo $user_path | grep "^$t_bindir" > /dev/null 2>&1