- (djm) [configure.ac] Warn if the system has no known way of figuring out

   which user is on the other end of a Unix domain socket; ok dtucker@

1 files changed, 25 insertions, 1 deletions

diff --git a/configure.ac b/configure.ac
index 850205cc..76ac0e06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.217 2004/05/13 01:56:17 dtucker Exp $
+# $Id: configure.ac,v 1.218 2004/05/23 04:09:40 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -926,6 +926,20 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
 	)
 fi
 
+# Check for missing getpeereid (or equiv) support
+NO_PEERCHECK=""
+if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
+	AC_TRY_COMPILE(
+		[#include <sys/types.h>
+		 #include <sys/socket.h>],
+		[int i = SO_PEERCRED;],
+		[AC_MSG_RESULT(yes)],
+		[AC_MSG_RESULT(no)
+		NO_PEERCHECK=1]
+        )
+fi
+
 dnl see whether mkstemp() requires XXXXXX
 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
 AC_MSG_CHECKING([for (overly) strict mkstemp])
@@ -2975,3 +2989,13 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
 	echo ""
 fi
 
+if test ! -z "$NO_PEERCHECK" ; then
+	echo "WARNING: the operating system that you are using does not "
+	echo "appear to support either the getpeereid() API nor the "
+	echo "SO_PEERCRED getsockopt() option. These facilities are used to "
+	echo "enforce security checks to prevent unauthorised connections to "
+	echo "ssh-agent. Their absence increases the risk that a malicious "
+	echo "user can connect to your agent. "
+	echo ""
+fi
+