From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 20:25:01 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B7E516A4CE for ; Wed, 12 Jan 2005 20:25:01 +0000 (GMT) Received: from eagle.aitken.com (eagle.aitken.com [198.137.194.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id F26DF43D54 for ; Wed, 12 Jan 2005 20:25:00 +0000 (GMT) (envelope-from jaitken@aitken.com) Received: by eagle.aitken.com (Postfix, from userid 1000) id 2D662B2470; Wed, 12 Jan 2005 15:24:58 -0500 (EST) Date: Wed, 12 Jan 2005 15:24:58 -0500 From: Jeff Aitken To: freebsd-security@FreeBSD.org Message-ID: <20050112202458.GA4065@eagle.aitken.com> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> <20050112103328.0c6288d3@mobile.pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050112103328.0c6288d3@mobile.pittgoth.com> User-Agent: Mutt/1.4.2i Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 20:25:01 -0000 On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote: > > There must be a way to get the base system openssh to build against > > the installed MIT port. > > Have you asked Mark Murray about this? I think he has worked > with Kerberos in the base system. On a related note, when building the krb5 port in FreeBSD-5.3, it appears that ksu is not installed. I'm not sure I understand fully why this is the case, but it appears that the following lines in /usr/ports/security/krb5/Makefile: CONFIGURE_ENV= INSTALL="${INSTALL}" YACC=/usr/bin/yacc \ CFLAGS="${CFLAGS}" MAKE_ARGS= INSTALL="${INSTALL}" clobber the value of INSTALL in several of the generated Makefiles. This only appears to affect ksu because it is the only one where the install target references INSTALL_SETUID. After running a 'make' in the top level, this is what you get in src/clients/Makefile: INSTALL=install INSTALL_STRIP= INSTALL_PROGRAM=install -s -o root -g wheel -m 555 $(INSTALL_STRIP) INSTALL_SCRIPT=install -o root -g wheel -m 555 INSTALL_DATA=install -o root -g wheel -m 444 INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root Note that INSTALL_SETUID references INSTALL, which is not defined as I would expect; I think the correct value should look like this: INSTALL=/usr/bin/install -c -o root -g wheel Most of the other executables that get installed seem to reference INSTALL_PROGRAM directly. Also interesting is that src/clients/ksu/Makefile appears to lack a defined install-unix target. All of the other Makefiles have something that looks like this: install-unix:: for f in klist; do \ $(INSTALL_PROGRAM) $$f \ $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \ $(INSTALL_DATA) $(srcdir)/$$f.M \ $(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ done I don't know if this is a problem or not. Anyway, if you remove the CONFIGURE_ENV and MAKE_ARGS definitions in /usr/ports/security/krb5/Makefile, you get a "correct" Makefile in src/clients/ksu: INSTALL=/usr/bin/install -c -o root -g wheel INSTALL_STRIP= INSTALL_PROGRAM=install -s -o root -g wheel -m 555 $(INSTALL_STRIP) INSTALL_SCRIPT=install -o root -g wheel -m 555 INSTALL_DATA=install -o root -g wheel -m 444 INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root The krb5 Makefiles are a maze of indirection so I'm not sure I have this figured out, but figured I'd toss it out and see if anyone else can confirm or deny. --Jeff