- (djm) [configure.ac] Warn if the system has no known way of figuring out
which user is on the other end of a Unix domain socket; ok dtucker@
diff --git a/configure.ac b/configure.ac
index 850205c..76ac0e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.217 2004/05/13 01:56:17 dtucker Exp $
+# $Id: configure.ac,v 1.218 2004/05/23 04:09:40 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@@ -926,6 +926,20 @@
)
fi
+# Check for missing getpeereid (or equiv) support
+NO_PEERCHECK=""
+if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+ AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
+ AC_TRY_COMPILE(
+ [#include <sys/types.h>
+ #include <sys/socket.h>],
+ [int i = SO_PEERCRED;],
+ [AC_MSG_RESULT(yes)],
+ [AC_MSG_RESULT(no)
+ NO_PEERCHECK=1]
+ )
+fi
+
dnl see whether mkstemp() requires XXXXXX
if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
AC_MSG_CHECKING([for (overly) strict mkstemp])
@@ -2975,3 +2989,13 @@
echo ""
fi
+if test ! -z "$NO_PEERCHECK" ; then
+ echo "WARNING: the operating system that you are using does not "
+ echo "appear to support either the getpeereid() API nor the "
+ echo "SO_PEERCRED getsockopt() option. These facilities are used to "
+ echo "enforce security checks to prevent unauthorised connections to "
+ echo "ssh-agent. Their absence increases the risk that a malicious "
+ echo "user can connect to your agent. "
+ echo ""
+fi
+