svn commit: r239849 - in vendor-crypto/openssh/dist: . contrib
contrib/caldera contrib/cygwin contrib/redhat contrib/suse
openbsd-compat regress
Dag-Erling Smørgrav
des at FreeBSD.org
Wed Aug 29 15:55:55 UTC 2012
Author: des
Date: Wed Aug 29 15:55:54 2012
New Revision: 239849
URL: http://svn.freebsd.org/changeset/base/239849
Log:
Vendor import of OpenSSH 6.1p1.
Modified:
vendor-crypto/openssh/dist/ChangeLog
vendor-crypto/openssh/dist/PROTOCOL.certkeys
vendor-crypto/openssh/dist/PROTOCOL.mux
vendor-crypto/openssh/dist/README
vendor-crypto/openssh/dist/addrmatch.c
vendor-crypto/openssh/dist/auth-krb5.c
vendor-crypto/openssh/dist/auth-passwd.c
vendor-crypto/openssh/dist/auth.c
vendor-crypto/openssh/dist/channels.c
vendor-crypto/openssh/dist/channels.h
vendor-crypto/openssh/dist/clientloop.c
vendor-crypto/openssh/dist/config.h.in
vendor-crypto/openssh/dist/configure
vendor-crypto/openssh/dist/configure.ac
vendor-crypto/openssh/dist/contrib/Makefile
vendor-crypto/openssh/dist/contrib/caldera/openssh.spec
vendor-crypto/openssh/dist/contrib/cygwin/ssh-host-config
vendor-crypto/openssh/dist/contrib/redhat/openssh.spec
vendor-crypto/openssh/dist/contrib/suse/openssh.spec
vendor-crypto/openssh/dist/dns.c
vendor-crypto/openssh/dist/dns.h
vendor-crypto/openssh/dist/jpake.c
vendor-crypto/openssh/dist/key.c
vendor-crypto/openssh/dist/key.h
vendor-crypto/openssh/dist/mac.c
vendor-crypto/openssh/dist/moduli
vendor-crypto/openssh/dist/moduli.0
vendor-crypto/openssh/dist/moduli.c
vendor-crypto/openssh/dist/monitor.c
vendor-crypto/openssh/dist/mux.c
vendor-crypto/openssh/dist/myproposal.h
vendor-crypto/openssh/dist/openbsd-compat/bsd-cygwin_util.h
vendor-crypto/openssh/dist/openbsd-compat/bsd-misc.h
vendor-crypto/openssh/dist/openbsd-compat/getrrsetbyname-ldns.c
vendor-crypto/openssh/dist/regress/addrmatch.sh
vendor-crypto/openssh/dist/regress/cipher-speed.sh
vendor-crypto/openssh/dist/regress/connect-privsep.sh
vendor-crypto/openssh/dist/regress/forwarding.sh
vendor-crypto/openssh/dist/regress/multiplex.sh
vendor-crypto/openssh/dist/regress/reexec.sh
vendor-crypto/openssh/dist/regress/sftp-cmds.sh
vendor-crypto/openssh/dist/regress/test-exec.sh
vendor-crypto/openssh/dist/regress/try-ciphers.sh
vendor-crypto/openssh/dist/sandbox-rlimit.c
vendor-crypto/openssh/dist/sandbox-seccomp-filter.c
vendor-crypto/openssh/dist/sandbox-systrace.c
vendor-crypto/openssh/dist/scp.0
vendor-crypto/openssh/dist/servconf.c
vendor-crypto/openssh/dist/servconf.h
vendor-crypto/openssh/dist/serverloop.c
vendor-crypto/openssh/dist/session.c
vendor-crypto/openssh/dist/sftp-client.c
vendor-crypto/openssh/dist/sftp-server.0
vendor-crypto/openssh/dist/sftp.0
vendor-crypto/openssh/dist/sftp.c
vendor-crypto/openssh/dist/ssh-add.0
vendor-crypto/openssh/dist/ssh-agent.0
vendor-crypto/openssh/dist/ssh-keygen.0
vendor-crypto/openssh/dist/ssh-keygen.1
vendor-crypto/openssh/dist/ssh-keygen.c
vendor-crypto/openssh/dist/ssh-keyscan.0
vendor-crypto/openssh/dist/ssh-keyscan.1
vendor-crypto/openssh/dist/ssh-keyscan.c
vendor-crypto/openssh/dist/ssh-keysign.0
vendor-crypto/openssh/dist/ssh-pkcs11-helper.0
vendor-crypto/openssh/dist/ssh-pkcs11-helper.c
vendor-crypto/openssh/dist/ssh.0
vendor-crypto/openssh/dist/ssh.1
vendor-crypto/openssh/dist/ssh.c
vendor-crypto/openssh/dist/ssh_config.0
vendor-crypto/openssh/dist/ssh_config.5
vendor-crypto/openssh/dist/sshconnect2.c
vendor-crypto/openssh/dist/sshd.0
vendor-crypto/openssh/dist/sshd.8
vendor-crypto/openssh/dist/sshd.c
vendor-crypto/openssh/dist/sshd_config
vendor-crypto/openssh/dist/sshd_config.0
vendor-crypto/openssh/dist/sshd_config.5
vendor-crypto/openssh/dist/version.h
Modified: vendor-crypto/openssh/dist/ChangeLog
==============================================================================
--- vendor-crypto/openssh/dist/ChangeLog Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/ChangeLog Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,3 +1,298 @@
+20120828
+ - (djm) Release openssh-6.1
+
+20120828
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
+ for compatibility with future mingw-w64 headers. Patch from vinschen at
+ redhat com.
+
+20120822
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update version numbers
+
+20120731
+ - (djm) OpenBSD CVS Sync
+ - jmc at cvs.openbsd.org 2012/07/06 06:38:03
+ [ssh-keygen.c]
+ missing full stop in usage();
+ - djm at cvs.openbsd.org 2012/07/10 02:19:15
+ [servconf.c servconf.h sshd.c sshd_config]
+ Turn on systrace sandboxing of pre-auth sshd by default for new installs
+ by shipping a config that overrides the current UsePrivilegeSeparation=yes
+ default. Make it easier to flip the default in the future by adding too.
+ prodded markus@ feedback dtucker@ "get it in" deraadt@
+ - dtucker at cvs.openbsd.org 2012/07/13 01:35:21
+ [servconf.c]
+ handle long comments in config files better. bz#2025, ok markus
+ - markus at cvs.openbsd.org 2012/07/22 18:19:21
+ [version.h]
+ openssh 6.1
+
+20120720
+ - (dtucker) Import regened moduli file.
+
+20120706
+ - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
+ not available. Allows use of sshd compiled on host with a filter-capable
+ kernel on hosts that lack the support. bz#2011 ok dtucker@
+ - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
+ unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
+ esperi.org.uk; ok dtucker@
+- (djm) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2012/07/06 00:41:59
+ [moduli.c ssh-keygen.1 ssh-keygen.c]
+ Add options to specify starting line number and number of lines to process
+ when screening moduli candidates. This allows processing of different
+ parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
+ - djm at cvs.openbsd.org 2012/07/06 01:37:21
+ [mux.c]
+ fix memory leak of passed-in environment variables and connection
+ context when new session message is malformed; bz#2003 from Bert.Wesarg
+ AT googlemail.com
+ - djm at cvs.openbsd.org 2012/07/06 01:47:38
+ [ssh.c]
+ move setting of tty_flag to after config parsing so RequestTTY options
+ are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
+ ok dtucker@
+
+20120704
+ - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
+ platforms that don't have it. "looks good" tim@
+
+20120703
+ - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
+ setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
+ - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
+ setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
+ benefit is minor, so it's not worth disabling the sandbox if it doesn't
+ work.
+
+20120702
+- (dtucker) OpenBSD CVS Sync
+ - naddy at cvs.openbsd.org 2012/06/29 13:57:25
+ [ssh_config.5 sshd_config.5]
+ match the documented MAC order of preference to the actual one;
+ ok dtucker@
+ - markus at cvs.openbsd.org 2012/06/30 14:35:09
+ [sandbox-systrace.c sshd.c]
+ fix a during the load of the sandbox policies (child can still make
+ the read-syscall and wait forever for systrace-answers) by replacing
+ the read/write synchronisation with SIGSTOP/SIGCONT;
+ report and help hshoexer@; ok djm@, dtucker@
+ - dtucker at cvs.openbsd.org 2012/07/02 08:50:03
+ [ssh.c]
+ set interactive ToS for forwarded X11 sessions. ok djm@
+ - dtucker at cvs.openbsd.org 2012/07/02 12:13:26
+ [ssh-pkcs11-helper.c sftp-client.c]
+ fix a couple of "assigned but not used" warnings. ok markus@
+ - dtucker at cvs.openbsd.org 2012/07/02 14:37:06
+ [regress/connect-privsep.sh]
+ remove exit from end of test since it prevents reporting failure
+ - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
+ Move cygwin detection to test-exec and use to skip reexec test on cygwin.
+ - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
+
+20120629
+ - OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2012/06/21 00:16:07
+ [addrmatch.c]
+ fix strlcpy truncation check. from carsten at debian org, ok markus
+ - dtucker at cvs.openbsd.org 2012/06/22 12:30:26
+ [monitor.c sshconnect2.c]
+ remove dead code following 'for (;;)' loops.
+ From Steve.McClellan at radisys com, ok markus@
+ - dtucker at cvs.openbsd.org 2012/06/22 14:36:33
+ [sftp.c]
+ Remove unused variable leftover from tab-completion changes.
+ From Steve.McClellan at radisys com, ok markus@
+ - dtucker at cvs.openbsd.org 2012/06/26 11:02:30
+ [sandbox-systrace.c]
+ Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
+ sandbox" since malloc now uses it. From johnw.mail at gmail com.
+ - dtucker at cvs.openbsd.org 2012/06/28 05:07:45
+ [mac.c myproposal.h ssh_config.5 sshd_config.5]
+ Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
+ from draft6 of the spec and will not be in the RFC when published. Patch
+ from mdb at juniper net via bz#2023, ok markus.
+ - naddy at cvs.openbsd.org 2012/06/29 13:57:25
+ [ssh_config.5 sshd_config.5]
+ match the documented MAC order of preference to the actual one; ok dtucker@
+ - dtucker at cvs.openbsd.org 2012/05/13 01:42:32
+ [regress/addrmatch.sh]
+ Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
+ to match. Feedback and ok djm@ markus at .
+ - djm at cvs.openbsd.org 2012/06/01 00:47:35
+ [regress/multiplex.sh regress/forwarding.sh]
+ append to rather than truncate test log; bz#2013 from openssh AT
+ roumenpetrov.info
+ - djm at cvs.openbsd.org 2012/06/01 00:52:52
+ [regress/sftp-cmds.sh]
+ don't delete .* on cleanup due to unintended env expansion; pointed out in
+ bz#2014 by openssh AT roumenpetrov.info
+ - dtucker at cvs.openbsd.org 2012/06/26 12:06:59
+ [regress/connect-privsep.sh]
+ test sandbox with every malloc option
+ - dtucker at cvs.openbsd.org 2012/06/28 05:07:45
+ [regress/try-ciphers.sh regress/cipher-speed.sh]
+ Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
+ from draft6 of the spec and will not be in the RFC when published. Patch
+ from mdb at juniper net via bz#2023, ok markus.
+ - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error.
+ - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
+ the required functions in libcrypto.
+
+20120628
+ - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null
+ pointer deref in the client when built with LDNS and using DNSSEC with a
+ CNAME. Patch from gregdlg+mr at hochet info.
+
+20120622
+ - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as
+ can logon as a service. Patch from vinschen at redhat com.
+
+20120620
+ - (djm) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2011/12/02 00:41:56
+ [mux.c]
+ fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+ ok dtucker@
+ - djm at cvs.openbsd.org 2011/12/04 23:16:12
+ [mux.c]
+ revert:
+ > revision 1.32
+ > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
+ > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
+ > ok dtucker@
+ it interacts badly with ControlPersist
+ - djm at cvs.openbsd.org 2012/01/07 21:11:36
+ [mux.c]
+ fix double-free in new session handler
+ NB. Id sync only
+ - djm at cvs.openbsd.org 2012/05/23 03:28:28
+ [dns.c dns.h key.c key.h ssh-keygen.c]
+ add support for RFC6594 SSHFP DNS records for ECDSA key types.
+ patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
+ - djm at cvs.openbsd.org 2012/06/01 00:49:35
+ [PROTOCOL.mux]
+ correct types of port numbers (integers, not strings); bz#2004 from
+ bert.wesarg AT googlemail.com
+ - djm at cvs.openbsd.org 2012/06/01 01:01:22
+ [mux.c]
+ fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
+ AT googlemail.com
+ - dtucker at cvs.openbsd.org 2012/06/18 11:43:53
+ [jpake.c]
+ correct sizeof usage. patch from saw at online.de, ok deraadt
+ - dtucker at cvs.openbsd.org 2012/06/18 11:49:58
+ [ssh_config.5]
+ RSA instead of DSA twice. From Steve.McClellan at radisys com
+ - dtucker at cvs.openbsd.org 2012/06/18 12:07:07
+ [ssh.1 sshd.8]
+ Remove mention of 'three' key files since there are now four. From
+ Steve.McClellan at radisys com.
+ - dtucker at cvs.openbsd.org 2012/06/18 12:17:18
+ [ssh.1]
+ Clarify description of -W. Noted by Steve.McClellan at radisys com,
+ ok jmc
+ - markus at cvs.openbsd.org 2012/06/19 18:25:28
+ [servconf.c servconf.h sshd_config.5]
+ sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
+ this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
+ ok djm@ (back in March)
+ - jmc at cvs.openbsd.org 2012/06/19 21:35:54
+ [sshd_config.5]
+ tweak previous; ok markus
+ - djm at cvs.openbsd.org 2012/06/20 04:42:58
+ [clientloop.c serverloop.c]
+ initialise accept() backoff timer to avoid EINVAL from select(2) in
+ rekeying
+
+20120519
+ - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch
+ from cjwatson at debian org.
+ - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find
+ pkg-config so it does the right thing when cross-compiling. Patch from
+ cjwatson at debian org.
+- (dtucker) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2012/05/13 01:42:32
+ [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
+ Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
+ to match. Feedback and ok djm@ markus at .
+ - dtucker at cvs.openbsd.org 2012/05/19 06:30:30
+ [sshd_config.5]
+ Document PermitOpen none. bz#2001, patch from Loganaden Velvindron
+
+20120504
+ - (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h>
+ to fix building on some plaforms. Fom bowman at math utah edu and
+ des at des no.
+
+20120427
+ - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6
+ platform rather than exiting early, so that we still clean up and return
+ success or failure to test-exec.sh
+
+20120426
+ - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters
+ via Niels
+ - (djm) [auth-krb5.c] Save errno across calls that might modify it;
+ ok dtucker@
+
+20120423
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2012/04/23 08:18:17
+ [channels.c]
+ fix function proto/source mismatch
+
+20120422
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2012/02/29 11:21:26
+ [ssh-keygen.c]
+ allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
+ - guenther at cvs.openbsd.org 2012/03/15 03:10:27
+ [session.c]
+ root should always be excluded from the test for /etc/nologin instead
+ of having it always enforced even when marked as ignorenologin. This
+ regressed when the logic was incompletely flipped around in rev 1.251
+ ok halex@ millert@
+ - djm at cvs.openbsd.org 2012/03/28 07:23:22
+ [PROTOCOL.certkeys]
+ explain certificate extensions/crit split rationale. Mention requirement
+ that each appear at most once per cert.
+ - dtucker at cvs.openbsd.org 2012/03/29 23:54:36
+ [channels.c channels.h servconf.c]
+ Add PermitOpen none option based on patch from Loganaden Velvindron
+ (bz #1949). ok djm@
+ - djm at cvs.openbsd.org 2012/04/11 13:16:19
+ [channels.c channels.h clientloop.c serverloop.c]
+ don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
+ while; ok deraadt@ markus@
+ - djm at cvs.openbsd.org 2012/04/11 13:17:54
+ [auth.c]
+ Support "none" as an argument for AuthorizedPrincipalsFile to indicate
+ no file should be read.
+ - djm at cvs.openbsd.org 2012/04/11 13:26:40
+ [sshd.c]
+ don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
+ while; ok deraadt@ markus@
+ - djm at cvs.openbsd.org 2012/04/11 13:34:17
+ [ssh-keyscan.1 ssh-keyscan.c]
+ now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
+ look for them by default; bz#1971
+ - djm at cvs.openbsd.org 2012/04/12 02:42:32
+ [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+ VersionAddendum option to allow server operators to append some arbitrary
+ text to the SSH-... banner; ok deraadt@ "don't care" markus@
+ - djm at cvs.openbsd.org 2012/04/12 02:43:55
+ [sshd_config sshd_config.5]
+ mention AuthorizedPrincipalsFile=none default
+ - djm at cvs.openbsd.org 2012/04/20 03:24:23
+ [sftp.c]
+ setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
+ - jmc at cvs.openbsd.org 2012/04/20 16:26:22
+ [ssh.1]
+ use "brackets" instead of "braces", for consistency;
+
20120420
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update for release 6.0
Modified: vendor-crypto/openssh/dist/PROTOCOL.certkeys
==============================================================================
--- vendor-crypto/openssh/dist/PROTOCOL.certkeys Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/PROTOCOL.certkeys Wed Aug 29 15:55:54 2012 (r239849)
@@ -162,6 +162,13 @@ extensions is a set of zero or more opti
are not critical, and an implementation that encounters one that it does
not recognise may safely ignore it.
+Generally, critical options are used to control features that restrict
+access where extensions are used to enable features that grant access.
+This ensures that certificates containing unknown restrictions do not
+inadvertently grant access while allowing new protocol features to be
+enabled via extensions without breaking certificates' backwards
+compatibility.
+
The reserved field is currently unused and is ignored in this version of
the protocol.
@@ -189,7 +196,7 @@ is a sequence of zero or more tuples:
string data
Options must be lexically ordered by "name" if they appear in the
-sequence.
+sequence. Each named option may only appear once in a certificate.
The name field identifies the option and the data field encodes
option-specific information (see below). All options are
@@ -220,7 +227,9 @@ Extensions
The extensions section of the certificate specifies zero or more
non-critical certificate extensions. The encoding and ordering of
-extensions in this field is identical to that of the critical options.
+extensions in this field is identical to that of the critical options,
+as is the requirement that each name appear only once.
+
If an implementation does not recognise an extension, then it should
ignore it.
@@ -253,4 +262,4 @@ permit-user-rc empty Fl
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
Modified: vendor-crypto/openssh/dist/PROTOCOL.mux
==============================================================================
--- vendor-crypto/openssh/dist/PROTOCOL.mux Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/PROTOCOL.mux Wed Aug 29 15:55:54 2012 (r239849)
@@ -110,9 +110,9 @@ A client may request the master to estab
uint32 request id
uint32 forwarding type
string listen host
- string listen port
+ uint32 listen port
string connect host
- string connect port
+ uint32 connect port
forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC.
@@ -135,9 +135,9 @@ A client may request the master to close
uint32 request id
uint32 forwarding type
string listen host
- string listen port
+ uint32 listen port
string connect host
- string connect port
+ uint32 connect port
A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a
MUX_S_FAILURE.
@@ -219,4 +219,4 @@ XXX inject packet (what about replies)
XXX server->client error/warning notifications
XXX send signals via mux
-$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $
+$OpenBSD: PROTOCOL.mux,v 1.9 2012/06/01 00:49:35 djm Exp $
Modified: vendor-crypto/openssh/dist/README
==============================================================================
--- vendor-crypto/openssh/dist/README Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/README Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-6.0 for the release notes.
+See http://www.openssh.com/txt/release-6.1 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.80 2012/04/20 04:11:04 djm Exp $
+$Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $
Modified: vendor-crypto/openssh/dist/addrmatch.c
==============================================================================
--- vendor-crypto/openssh/dist/addrmatch.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/addrmatch.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-/* $OpenBSD: addrmatch.c,v 1.5 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm at mindrot.org>
@@ -318,7 +318,7 @@ addr_pton_cidr(const char *p, struct xad
char addrbuf[64], *mp, *cp;
/* Don't modify argument */
- if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf))
+ if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) >= sizeof(addrbuf))
return -1;
if ((mp = strchr(addrbuf, '/')) != NULL) {
Modified: vendor-crypto/openssh/dist/auth-krb5.c
==============================================================================
--- vendor-crypto/openssh/dist/auth-krb5.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/auth-krb5.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -226,7 +226,7 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int tmpfd, ret, oerrno;
char ccname[40];
mode_t old_umask;
@@ -237,16 +237,18 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
+ oerrno = errno;
umask(old_umask);
if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
- return errno;
+ logit("mkstemp(): %.100s", strerror(oerrno));
+ return oerrno;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
+ oerrno = errno;
+ logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
- return errno;
+ return oerrno;
}
close(tmpfd);
Modified: vendor-crypto/openssh/dist/auth-passwd.c
==============================================================================
--- vendor-crypto/openssh/dist/auth-passwd.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/auth-passwd.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -209,6 +209,7 @@ sys_auth_passwd(Authctxt *authctxt, cons
* Authentication is accepted if the encrypted passwords
* are identical.
*/
- return (strcmp(encrypted_password, pw_password) == 0);
+ return encrypted_password != NULL &&
+ strcmp(encrypted_password, pw_password) == 0;
}
#endif
Modified: vendor-crypto/openssh/dist/auth.c
==============================================================================
--- vendor-crypto/openssh/dist/auth.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/auth.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.94 2011/05/23 03:33:38 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -357,7 +357,8 @@ expand_authorized_keys(const char *filen
char *
authorized_principals_file(struct passwd *pw)
{
- if (options.authorized_principals_file == NULL)
+ if (options.authorized_principals_file == NULL ||
+ strcasecmp(options.authorized_principals_file, "none") == 0)
return NULL;
return expand_authorized_keys(options.authorized_principals_file, pw);
}
@@ -544,9 +545,10 @@ getpwnamallow(const char *user)
#endif
#endif
struct passwd *pw;
+ struct connection_info *ci = get_connection_info(1, options.use_dns);
- parse_server_match_config(&options, user,
- get_canonical_hostname(options.use_dns), get_remote_ipaddr());
+ ci->user = user;
+ parse_server_match_config(&options, ci);
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_setauthdb(user);
Modified: vendor-crypto/openssh/dist/channels.c
==============================================================================
--- vendor-crypto/openssh/dist/channels.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/channels.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -311,6 +311,7 @@ channel_new(char *ctype, int type, int r
c->istate = CHAN_INPUT_OPEN;
c->flags = 0;
channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0);
+ c->notbefore = 0;
c->self = found;
c->type = type;
c->ctype = ctype;
@@ -1339,6 +1340,8 @@ channel_post_x11_listener(Channel *c, fd
}
if (newsock < 0) {
error("accept: %.100s", strerror(errno));
+ if (errno == EMFILE || errno == ENFILE)
+ c->notbefore = time(NULL) + 1;
return;
}
set_nodelay(newsock);
@@ -1482,6 +1485,8 @@ channel_post_port_listener(Channel *c, f
newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
if (newsock < 0) {
error("accept: %.100s", strerror(errno));
+ if (errno == EMFILE || errno == ENFILE)
+ c->notbefore = time(NULL) + 1;
return;
}
set_nodelay(newsock);
@@ -1514,7 +1519,10 @@ channel_post_auth_listener(Channel *c, f
addrlen = sizeof(addr);
newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
if (newsock < 0) {
- error("accept from auth socket: %.100s", strerror(errno));
+ error("accept from auth socket: %.100s",
+ strerror(errno));
+ if (errno == EMFILE || errno == ENFILE)
+ c->notbefore = time(NULL) + 1;
return;
}
nc = channel_new("accepted auth socket",
@@ -1917,6 +1925,8 @@ channel_post_mux_listener(Channel *c, fd
if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
&addrlen)) == -1) {
error("%s accept: %s", __func__, strerror(errno));
+ if (errno == EMFILE || errno == ENFILE)
+ c->notbefore = time(NULL) + 1;
return;
}
@@ -2067,16 +2077,21 @@ channel_garbage_collect(Channel *c)
}
static void
-channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
+channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset,
+ time_t *unpause_secs)
{
static int did_init = 0;
u_int i, oalloc;
Channel *c;
+ time_t now;
if (!did_init) {
channel_handler_init();
did_init = 1;
}
+ now = time(NULL);
+ if (unpause_secs != NULL)
+ *unpause_secs = 0;
for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
c = channels[i];
if (c == NULL)
@@ -2087,10 +2102,30 @@ channel_handler(chan_fn *ftab[], fd_set
else
continue;
}
- if (ftab[c->type] != NULL)
- (*ftab[c->type])(c, readset, writeset);
+ if (ftab[c->type] != NULL) {
+ /*
+ * Run handlers that are not paused.
+ */
+ if (c->notbefore <= now)
+ (*ftab[c->type])(c, readset, writeset);
+ else if (unpause_secs != NULL) {
+ /*
+ * Collect the time that the earliest
+ * channel comes off pause.
+ */
+ debug3("%s: chan %d: skip for %d more seconds",
+ __func__, c->self,
+ (int)(c->notbefore - now));
+ if (*unpause_secs == 0 ||
+ (c->notbefore - now) < *unpause_secs)
+ *unpause_secs = c->notbefore - now;
+ }
+ }
channel_garbage_collect(c);
}
+ if (unpause_secs != NULL && *unpause_secs != 0)
+ debug3("%s: first channel unpauses in %d seconds",
+ __func__, (int)*unpause_secs);
}
/*
@@ -2099,7 +2134,7 @@ channel_handler(chan_fn *ftab[], fd_set
*/
void
channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
- u_int *nallocp, int rekeying)
+ u_int *nallocp, time_t *minwait_secs, int rekeying)
{
u_int n, sz, nfdset;
@@ -2122,7 +2157,8 @@ channel_prepare_select(fd_set **readsetp
memset(*writesetp, 0, sz);
if (!rekeying)
- channel_handler(channel_pre, *readsetp, *writesetp);
+ channel_handler(channel_pre, *readsetp, *writesetp,
+ minwait_secs);
}
/*
@@ -2132,7 +2168,7 @@ channel_prepare_select(fd_set **readsetp
void
channel_after_select(fd_set *readset, fd_set *writeset)
{
- channel_handler(channel_post, readset, writeset);
+ channel_handler(channel_post, readset, writeset, NULL);
}
@@ -3127,6 +3163,17 @@ channel_add_adm_permitted_opens(char *ho
}
void
+channel_disable_adm_local_opens(void)
+{
+ if (num_adm_permitted_opens == 0) {
+ permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
+ permitted_adm_opens[num_adm_permitted_opens].host_to_connect
+ = NULL;
+ num_adm_permitted_opens = 1;
+ }
+}
+
+void
channel_clear_permitted_opens(void)
{
int i;
@@ -3167,7 +3214,9 @@ channel_print_adm_permitted_opens(void)
return;
}
for (i = 0; i < num_adm_permitted_opens; i++)
- if (permitted_adm_opens[i].host_to_connect != NULL)
+ if (permitted_adm_opens[i].host_to_connect == NULL)
+ printf(" none");
+ else
printf(" %s:%d", permitted_adm_opens[i].host_to_connect,
permitted_adm_opens[i].port_to_connect);
printf("\n");
Modified: vendor-crypto/openssh/dist/channels.h
==============================================================================
--- vendor-crypto/openssh/dist/channels.h Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/channels.h Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -105,6 +105,7 @@ struct Channel {
int wfd_isatty; /* wfd is a tty */
int client_tty; /* (client) TTY has been requested */
int force_drain; /* force close on iEOF */
+ time_t notbefore; /* Pause IO until deadline (time_t) */
int delayed; /* post-select handlers for newly created
* channels are delayed until the first call
* to a matching pre-select handler.
@@ -238,7 +239,8 @@ void channel_input_status_confirm(int,
/* file descriptor handling (read/write) */
-void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
+void channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
+ time_t*, int);
void channel_after_select(fd_set *, fd_set *);
void channel_output_poll(void);
@@ -253,6 +255,7 @@ void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
int channel_add_adm_permitted_opens(char *, int);
+void channel_disable_adm_local_opens(void);
void channel_update_permitted_opens(int, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
Modified: vendor-crypto/openssh/dist/clientloop.c
==============================================================================
--- vendor-crypto/openssh/dist/clientloop.c Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/clientloop.c Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -583,10 +583,12 @@ client_wait_until_can_do_something(fd_se
{
struct timeval tv, *tvp;
int timeout_secs;
+ time_t minwait_secs = 0;
int ret;
/* Add any selections by the channel mechanism. */
- channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
+ channel_prepare_select(readsetp, writesetp, maxfdp, nallocp,
+ &minwait_secs, rekeying);
if (!compat20) {
/* Read from the connection, unless our buffers are full. */
@@ -639,6 +641,8 @@ client_wait_until_can_do_something(fd_se
if (timeout_secs < 0)
timeout_secs = 0;
}
+ if (minwait_secs != 0)
+ timeout_secs = MIN(timeout_secs, (int)minwait_secs);
if (timeout_secs == INT_MAX)
tvp = NULL;
else {
Modified: vendor-crypto/openssh/dist/config.h.in
==============================================================================
--- vendor-crypto/openssh/dist/config.h.in Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/config.h.in Wed Aug 29 15:55:54 2012 (r239849)
@@ -822,6 +822,9 @@
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
+/* Define to 1 if you have the `setlinebuf' function. */
+#undef HAVE_SETLINEBUF
+
/* Define to 1 if you have the `setlogin' function. */
#undef HAVE_SETLOGIN
@@ -1374,6 +1377,9 @@
/* Sandbox using seccomp filter */
#undef SANDBOX_SECCOMP_FILTER
+/* setrlimit RLIMIT_FSIZE works */
+#undef SANDBOX_SKIP_RLIMIT_FSIZE
+
/* Sandbox using systrace(4) */
#undef SANDBOX_SYSTRACE
Modified: vendor-crypto/openssh/dist/configure
==============================================================================
--- vendor-crypto/openssh/dist/configure Wed Aug 29 15:53:27 2012 (r239848)
+++ vendor-crypto/openssh/dist/configure Wed Aug 29 15:55:54 2012 (r239849)
@@ -1,5 +1,5 @@
#! /bin/sh
-# From configure.ac Revision: 1.489 .
+# From configure.ac Revision: 1.496 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
#
@@ -6927,7 +6927,8 @@ $as_echo "#define SSH_TUN_PREPEND_AF 1"
for ac_header in linux/seccomp.h linux/filter.h linux/audit.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include <linux/types.h>
+"
if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -9137,8 +9138,9 @@ LIBEDIT_MSG="no"
if test "${with_libedit+set}" = set; then :
withval=$with_libedit; if test "x$withval" != "xno" ; then
if test "x$withval" = "xyes" ; then
- # Extract the first word of "pkg-config", so it can be a program name with args.
-set dummy pkg-config; ac_word=$2
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_PKGCONFIG+:} false; then :
@@ -9164,7 +9166,6 @@ done
done
IFS=$as_save_IFS
- test -z "$ac_cv_path_PKGCONFIG" && ac_cv_path_PKGCONFIG="no"
;;
esac
fi
@@ -9178,6 +9179,63 @@ $as_echo "no" >&6; }
fi
+fi
+if test -z "$ac_cv_path_PKGCONFIG"; then
+ ac_pt_PKGCONFIG=$PKGCONFIG
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $ac_pt_PKGCONFIG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
+if test -n "$ac_pt_PKGCONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
+$as_echo "$ac_pt_PKGCONFIG" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+ if test "x$ac_pt_PKGCONFIG" = x; then
+ PKGCONFIG="no"
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+ PKGCONFIG=$ac_pt_PKGCONFIG
+ fi
+else
+ PKGCONFIG="$ac_cv_path_PKGCONFIG"
+fi
+
if test "x$PKGCONFIG" != "xno"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $PKGCONFIG knows about libedit" >&5
$as_echo_n "checking if $PKGCONFIG knows about libedit... " >&6; }
@@ -9499,6 +9557,7 @@ for ac_func in \
seteuid \
setgroupent \
setgroups \
+ setlinebuf \
setlogin \
setpassent\
setpcred \
@@ -11784,6 +11843,109 @@ if test "${with_sandbox+set}" = set; the
fi
+
+# Some platforms (seems to be the ones that have a kernel poll(2)-type
+# function with which they implement select(2)) use an extra file descriptor
+# when calling select(2), which means we can't use the rlimit sandbox.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if select works with descriptor rlimit" >&5
+$as_echo_n "checking if select works with descriptor rlimit... " >&6; }
+if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
+$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/resource.h>
+#ifdef HAVE_SYS_SELECT_H
+# include <sys/select.h>
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+
+int
+main ()
+{
+
+ struct rlimit rl_zero;
+ int fd, r;
+ fd_set fds;
+
+ fd = open("/dev/null", O_RDONLY);
+ FD_ZERO(&fds);
+ FD_SET(fd, &fds);
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ setrlimit(RLIMIT_FSIZE, &rl_zero);
+ setrlimit(RLIMIT_NOFILE, &rl_zero);
+ r = select(fd+1, &fds, NULL, NULL, NULL);
+ exit (r == -1 ? 1 : 0);
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ select_works_with_rlimit=yes
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ select_works_with_rlimit=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5
+$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; }
+if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
+$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <stdlib.h>
+
+int
+main ()
+{
+
+ struct rlimit rl_zero;
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define SANDBOX_SKIP_RLIMIT_FSIZE 1" >>confdefs.h
+
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+
if test "x$sandbox_arg" = "xsystrace" || \
( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
test "x$have_systr_policy_kill" != "x1" && \
@@ -11804,7 +11966,7 @@ $as_echo "#define SANDBOX_DARWIN 1" >>co
elif test "x$sandbox_arg" = "xseccomp_filter" || \
( test -z "$sandbox_arg" && \
- test "x$have_seccomp_filter" == "x1" && \
+ test "x$have_seccomp_filter" = "x1" && \
test "x$ac_cv_header_linux_audit_h" = "xyes" && \
test "x$have_seccomp_audit_arch" = "x1" && \
test "x$have_linux_no_new_privs" = "x1" && \
@@ -11822,9 +11984,12 @@ elif test "x$sandbox_arg" = "xseccomp_fi
$as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
elif test "x$sandbox_arg" = "xrlimit" || \
- ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
+ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
+ test "x$select_works_with_rlimit" == "xyes" ) ; then
test "x$ac_cv_func_setrlimit" != "xyes" && \
as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5
+ test "x$select_works_with_rlimit" != "xyes" && \
+ as_fn_error $? "rlimit sandbox requires select to work with rlimit" "$LINENO" 5
SANDBOX_STYLE="rlimit"
$as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h
@@ -14118,7 +14283,7 @@ $as_echo_n "checking if struct statvfs.f
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <sys/types.h>
+#include <sys/param.h>
#include <sys/stat.h>
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
@@ -16077,13 +16242,16 @@ rm -f core *.core core.conftest.* gmon.o
fi
# make sure $bindir is in USER_PATH so scp will work
- t_bindir=`eval echo ${bindir}`
- case $t_bindir in
- NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
- esac
- case $t_bindir in
- NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-vendor
mailing list