Accepting request 19015 from Base:System

Copy from Base:System/openssh based on submit request 19015 from user coolo OBS-URL: https://build.opensuse.org/request/show/19015 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=31
2009-08-27 22:21:56 +00:00 · 2009-08-27 22:21:56 +00:00 · 0a76e8dc3a
commit 0a76e8dc3a
parent f38f3e98f9
4 changed files with 172 additions and 2 deletions
--- a/openssh-5.2p1-homechroot.patch
+++ b/openssh-5.2p1-homechroot.patch
@ -0,0 +1,162 @@
+++ openssh-5.2p1/chrootenv.h
+++ openssh-5.2p1/chrootenv.h
+@@ -0,0 +1,32 @@
+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
+
+/*
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef CHROOTENV_H
+#define CHROOTENV_H
+
+extern int	chroot_no_tree;
+
+#endif
+
+--- openssh-5.2p1/session.c
+++ openssh-5.2p1/session.c	2009-07-24 07:33:14.000000000 +0200
+@@ -119,6 +119,8 @@ void	do_child(Session *, const char *);
+ void	do_motd(void);
+ int	check_quietlogin(Session *, const char *);
+ 
+int	chroot_no_tree = 0;
+
+ static void do_authenticated1(Authctxt *);
+ static void do_authenticated2(Authctxt *);
+ 
+@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command)
+ 		debug("Forced command (key option) '%.900s'", command);
+ 	}
+ 
+	if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
+		logit("You aren't welcomed, go away!");
+		exit (1);
+	}
+
+ #ifdef SSH_AUDIT_EVENTS
+ 	if (command != NULL)
+ 		PRIVSEP(audit_run_command(command));
+@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui
+ 	const char *cp;
+ 	char component[MAXPATHLEN];
+ 	struct stat st;
+	int last;
+ 
+ 	if (*path != '/')
+ 		fatal("chroot path does not begin at root");
+@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui
+ 	 * root-owned directory with strict permissions.
+ 	 */
+ 	for (cp = path; cp != NULL;) {
+-		if ((cp = strchr(cp, '/')) == NULL)
+		if (((last = ((cp = strchr(cp, '/')) == NULL))))
+ 			strlcpy(component, path, sizeof(component));
+ 		else {
+ 			cp++;
+@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui
+ 		if (stat(component, &st) != 0)
+ 			fatal("%s: stat(\"%s\"): %s", __func__,
+ 			    component, strerror(errno));
+-		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
+		if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
+ 			fatal("bad ownership or modes for chroot "
+ 			    "directory %s\"%s\"", 
+ 			    cp == NULL ? "" : "component ", component);
+ 		if (!S_ISDIR(st.st_mode))
+ 			fatal("chroot path %s\"%s\" is not a directory",
+ 			    cp == NULL ? "" : "component ", component);
+-
+ 	}
+	setenv ("TZ", "/etc/localtime", 0);
+	tzset ();
+
+	if (st.st_uid != uid)
+		++chroot_no_tree;
+ 
+ 	if (chdir(path) == -1)
+ 		fatal("Unable to chdir to chroot path \"%s\": "
+@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui
+ 	if (chdir("/") == -1)
+ 		fatal("%s: chdir(/) after chroot: %s",
+ 		    __func__, strerror(errno));
+
+	if (access ("/etc/localtime", R_OK) < 0)
+			++chroot_no_tree;
+
+ 	verbose("Changed root directory to \"%s\"", path);
+ }
+ 
+--- openssh-5.2p1/sftp.c
+++ openssh-5.2p1/sftp.c
+@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
+ 
+ extern char *__progname;
+ 
+int	chroot_no_tree = 0;
+
+ /* Separators for interactive commands */
+ #define WHITESPACE " \t\r\n"
+ 
+--- openssh-5.2p1/sftp-common.c
+++ openssh-5.2p1/sftp-common.c
+@@ -40,6 +40,7 @@
+ #include "xmalloc.h"
+ #include "buffer.h"
+ #include "log.h"
+#include "chrootenv.h"
+ 
+ #include "sftp.h"
+ #include "sftp-common.h"
+@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s
+ 	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+ 
+ 	strmode(st->st_mode, mode);
+-	if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
+	if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) {
+ 		user = pw->pw_name;
+ 	} else {
+ 		snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
+ 		user = ubuf;
+ 	}
+-	if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
+	if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) {
+ 		group = gr->gr_name;
+ 	} else {
+ 		snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
+--- openssh-5.2p1/sftp-server-main.c
+++ openssh-5.2p1/sftp-server-main.c
+@@ -22,11 +22,14 @@
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <unistd.h>
+#include <time.h>
+ 
+ #include "log.h"
+ #include "sftp.h"
+ #include "misc.h"
+ 
+int	chroot_no_tree = 0;
+
+ void
+ cleanup_exit(int i)
+ {
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -23,7 +23,7 @@ BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
 License:        BSD 3-clause (or similar)
 Group:          Productivity/Networking/SSH
 Version:        5.2p1
-Release:        6
+Release:        7
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz
+
+- make sftp in chroot users life easier (ie. bnc#518238),
+  many thanks jchadima@redhat.com for a patch
+
 -------------------------------------------------------------------
 Sun Jul 12 21:43:21 CEST 2009 - coolo@novell.com

--- a/openssh.spec
+++ b/openssh.spec
@ -38,7 +38,7 @@ PreReq:         /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq  %fillup_pr
 Conflicts:      nonfreessh
 AutoReqProv:    on
 Version:        5.2p1
-Release:        6
+Release:        7
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@ -71,6 +71,7 @@ Patch44:        %{name}-%{version}-audit.patch
 Patch45:        %{name}-%{version}-pts.diff
 Patch46:        %{name}-%{version}-pam-fix4.diff
 Patch48:        %{name}-%{version}-forwards.diff
+Patch49:        %{name}-%{version}-homechroot.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %package      askpass
@ -162,6 +163,7 @@ Authors:
 %patch45
 %patch46 -p1
 %patch48
+%patch49 -p1
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}