I shall look at collecting the in-tree stuff. My servers are in the netherlands, and I am in austin atm. I have a meeting with the security team in about 30 minutes and I am going to mention libressl and get a discussion going.
One of the things I wanted to discuss is about priv escalation. Just to make sure I understand what is expected of isssetguid() - could you perhaps, in terms of ls -l output with suid programs describe the sequence(s) where the value should be 1 - and especially, when they might (read should) be 0. >From memory of what I read (how I understood) the man page, if was superuser, and am still user - then 0 is appropriate. However, if was superuser (euid == 0) and a setuid call is used to demote/lower privilidge then 1 is the correct value. Also, if euid != 0 and an suid bit makes euid == 0 then the value should be one. Lastly, I am thinking that if a program starts as euid (even ruid) == 0, but used setuid to implement a safe-mode (i.e., not running as root) issetuid() should also return 1. I just repeated the process of configure, make, make check - but with OBJECT_MODE=64 and one test fails: asn1test. No time to look at it right now. This evening I will download the tree and test. Atm I am testing with no openssl installed. I would like to be able to run the whole process without needint autoconf/automake (because that requires additional libraries). And I need to figure out a better way to get the libraries to take a suffix of _64 so I can have both 32 and 64 bit support - eventually. Adding the configure setting: --program-suffix="_64" did not have any effect I could discover. re: the library loader - you can see what libpath is compiled into an program and/or a library member using "dump -H". At least, that is how I examine it. regards, Michael On Wed, Apr 8, 2015 at 10:28 PM, Brent Cook <bust...@gmail.com> wrote: > Thanks Michael, > > I have incorporated some initial AIX patches - can you please check out > the latest tree? > > > https://github.com/libressl-portable/portable/commit/fe3f7fc6365bfaac3418a72256b8c11603e80cbf > > > https://github.com/libressl-portable/openbsd/commit/37d8e3c080e7c73158093f253d8e06fa1906dc03 > > There are a few changes from your original patch set, but this should make > it easier to move forward now that they are in-tree. You can just patch on > top of that rather than sending the whole thing. > > I undid some of the formatting changes for the getentropy file so it > matched the other files - the style is intentional between the files so its > easy to diff between them to spot changes. The perfstat stuff moves into > the inner loop like the other files as well. I added the network counters > (we have network counters on OS X too), but also added wpar cpu stats. > > The issetugid currently short circuits to always return '1' because I > think it still needs some work, as we discussed earlier. If we can't find a > way to make it work, a failsafe version isn't really a bad thing for most > uses. > > Also, I didn't add the configure.ac line that set CFLAGS to empty string > that was in the original patch. The current master branch has switched to > letting autoconf initialize the CFLAGS directly. This worked fine with gcc > when I tried it, but I'd be interested in seeing how it works with other > AIX compilers. > > One slightly annoying thing I found was the system library loader would > find other versions of libcrypto.a / libssl.a under LIBPATH and try to load > those when running binaries in-tree rather than the build versions. I don't > know if that was just a misconfiguration with my system. > > - Brent > > > On Apr 8, 2015, at 9:19 PM, Michael Felt <aixto...@gmail.com> wrote: > > > > I applied the patch I had sent in before, made one change (correction) - > correcting a typo that brent had pointed out (netinfo that needs to be > "diskinfo") in the getentrophy_aix.c > > > > If you need the patch again, I can send it again. I am curious about > whether this is moving forward - and if there is anything extra I can do to > assist. > > > > > ============================================================================ > > Testsuite summary for libressl 2.1.6 > > > ============================================================================ > > # TOTAL: 47 > > # PASS: 47 > > # SKIP: 0 > > # XFAIL: 0 > > # FAIL: 0 > > # XPASS: 0 > > # ERROR: 0 > > > ============================================================================ > > > > regards, > > Michael > >
