forked from proftpd/proftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.AIX
162 lines (110 loc) · 5.88 KB
/
README.AIX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
ProFTPD 1.3.x README.AIX
========================
Introduction
------------
There are two issues when compiling on AIX systems that can be worked
around using the proper configure command lines.
One problem involves the less than optimal default shared object search
path that the IBM linker inserts into executables. The second problem is
compilaton failure stemming from an incompatibility with the <string.h>
header file when the IBM compiler attempts to inline some string functions.
Also, a minor usage note: do NOT use the --enable-autoshadow or --enable-shadow
configure options when configuring ProFTPD for AIX. AIX does not use
the shadow libraries.
Executive Summary
-----------------
If you are using the IBM xlc/cc compiler with the IBM ld linker:
% env CC=cc \
CFLAGS='-D_NO_PROTO' \
LDFLAGS='-blibpath:/usr/lib:/lib:/usr/local/lib' \
./configure ...
If you are using the GNU gcc compiler with the IBM ld linker:
% env CC=gcc \
LDFLAGS='-Wl,-blibpath:/usr/lib:/lib:/usr/local/lib' \
./configure ...
If you are using the GNU gcc compiler with the GNU ld linker,
something like this ought to work (untested):
% env CC=gcc \
LDFLAGS='-Wl,-rpath,/usr/lib,-rpath,/lib,-rpath,/usr/local/lib' \
./configure ...
Note that the library paths shown here are for example use only.
You may need to use different paths on your system, particularly when
linking with any optional libraries (e.g. krb5, ldap, mysql, etc.).
Compiling with the GNU compiler
-------------------------------
It is recommend that gcc-3.3.2 *not* be used when compiling proftpd on AIX.
There were problems reported of session processes going into endless loops.
Using gcc-4.1.0 should work properly.
Linking with the IBM or GNU linker
----------------------------------
There is a potential security problem when using the IBM linker.
Unlike other Unix systems, by default the IBM linker automatically will
use the compile time library search path as the runtime shared library
search path. The use of relative paths in the runtime library search
path is an especially acute security problem for suid or sgid programs.
This default behavior is documented, so it is not considered a bug by IBM.
However, some suid programs that have shipped with AIX have included insecure
library search paths and are vulnerable to privilege elevation exploits.
This may not be such a serious a security problem for ProFTPD, since it
is not installed suid or sgid. Nonetheless, it is wise to configure the
runtime shared library search path with a reasonable setting. For instance,
consider potential problems from searching NFS mounted directories.
An existing AIX executable's library search path can be displayed:
% dump -H progname
The runtime library search patch should be specified explicitly at
build time using the -blibpath option:
% cc -blibpath:/usr/lib:/lib:/usr/local/lib
% gcc -Wl,-blibpath:/usr/lib:/lib:/usr/local/lib
See the ld documentation, not just that of xlc/cc, for further information
on the IBM linker flags. Alternatively, an insecure library search path
can be avoided using -bnolibpath, which causes the default path to be used
(either the value of the LIBPATH environment variable, if defined, or
/usr/lib:/lib, if not).
It has been reported that at least some versions of GNU ld (e.g. 2.9.1)
have emulated this default linking behavior on AIX platforms. However,
GNU ld uses -rpath to set the runtime library search path, rather than
the IBM ld -blibpath or the Sun ld -R options:
% gcc -Wl,-rpath,/usr/lib,-rpath,/lib,-rpath,/usr/local/lib
Again, consult the GNU ld documentation for further information.
Note that using the gcc compiler does not imply that it uses the GNU
ld linker. In fact, it is more common to use the IBM system linker.
The upshot of all this is that you should tell configure what to use
for the runtime shared library search path. This can be done by setting
LDFLAGS on the configure command line, possibly like this:
% env CC=cc LDFLAGS='-blibpath:/usr/lib:/lib:/usr/local/lib' \
./configure ...
% env CC=gcc LDFLAGS='-Wl,-blibpath:/usr/lib:/lib:/usr/local/lib' \
./configure ...
In addition to setting the runtime library search path during the original
software build, the IBM linker can relink an existing *unstripped* executable
using a new runtime library search path:
% cc -blibpath:/usr/lib:/lib:/usr/local/lib -lm -ldl \
-o progname.new progname
% gcc -Wl,-blibpath:/usr/lib:/lib:/usr/local/lib -lm -ldl \
-o progname.new progname
where the "-l" options refer to shared libraries, which can be determined
from the output of:
% dump -Hv progname
which displays shared library information. A basic proftpd executable
probably will not require any "-l" options at all.
Compiling with the IBM xlc/cc compiler
--------------------------------------
There is a problem with the index and rindex macros defined in <string.h>.
Apparently, these are used as part of an attempt to inline string functions
when the __STR__ C preprocessor macro is defined. Conflicts with these
definitions will cause compilation failures.
The work-around is to undefine the __STR__ C preprocessor macro, which
is predefined by the IBM compiler. This can be done on the configure
command line by adding '-U__STR__' to the CPPFLAGS variable:
% env CC=cc CPPFLAGS='-U__STR__' ./configure ...
However, with newer versions of proftpd, it has been found that the following
combination works better when compiling:
% env CC=cc CFLAGS='-D_NO_PROTO' ./configure ...
Sendfile support in AIX
-----------------------
It appears that the sendfile() function in AIX 5.3
(specifically AIX 5300-04-02) is faulty. If you are running proftpd-1.3.0
or later on AIX, place the following in your proftpd.conf:
UseSendfile off
Failure to do so can result in downloads of files that end up being
the wrong size (downloaded files being far too large, etc).