Accepting request 19015 from Base:System
Copy from Base:System/openssh based on submit request 19015 from user coolo OBS-URL: https://build.opensuse.org/request/show/19015 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=31
This commit is contained in:
parent
f38f3e98f9
commit
0a76e8dc3a
162
openssh-5.2p1-homechroot.patch
Normal file
162
openssh-5.2p1-homechroot.patch
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
+++ openssh-5.2p1/chrootenv.h
|
||||||
|
+++ openssh-5.2p1/chrootenv.h
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ * 1. Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer.
|
||||||
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer in the
|
||||||
|
+ * documentation and/or other materials provided with the distribution.
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
+ */
|
||||||
|
+#ifndef CHROOTENV_H
|
||||||
|
+#define CHROOTENV_H
|
||||||
|
+
|
||||||
|
+extern int chroot_no_tree;
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
--- openssh-5.2p1/session.c
|
||||||
|
+++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200
|
||||||
|
@@ -119,6 +119,8 @@ void do_child(Session *, const char *);
|
||||||
|
void do_motd(void);
|
||||||
|
int check_quietlogin(Session *, const char *);
|
||||||
|
|
||||||
|
+int chroot_no_tree = 0;
|
||||||
|
+
|
||||||
|
static void do_authenticated1(Authctxt *);
|
||||||
|
static void do_authenticated2(Authctxt *);
|
||||||
|
|
||||||
|
@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command)
|
||||||
|
debug("Forced command (key option) '%.900s'", command);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
|
||||||
|
+ logit("You aren't welcomed, go away!");
|
||||||
|
+ exit (1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
if (command != NULL)
|
||||||
|
PRIVSEP(audit_run_command(command));
|
||||||
|
@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui
|
||||||
|
const char *cp;
|
||||||
|
char component[MAXPATHLEN];
|
||||||
|
struct stat st;
|
||||||
|
+ int last;
|
||||||
|
|
||||||
|
if (*path != '/')
|
||||||
|
fatal("chroot path does not begin at root");
|
||||||
|
@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui
|
||||||
|
* root-owned directory with strict permissions.
|
||||||
|
*/
|
||||||
|
for (cp = path; cp != NULL;) {
|
||||||
|
- if ((cp = strchr(cp, '/')) == NULL)
|
||||||
|
+ if (((last = ((cp = strchr(cp, '/')) == NULL))))
|
||||||
|
strlcpy(component, path, sizeof(component));
|
||||||
|
else {
|
||||||
|
cp++;
|
||||||
|
@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui
|
||||||
|
if (stat(component, &st) != 0)
|
||||||
|
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||||
|
component, strerror(errno));
|
||||||
|
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
||||||
|
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
||||||
|
fatal("bad ownership or modes for chroot "
|
||||||
|
"directory %s\"%s\"",
|
||||||
|
cp == NULL ? "" : "component ", component);
|
||||||
|
if (!S_ISDIR(st.st_mode))
|
||||||
|
fatal("chroot path %s\"%s\" is not a directory",
|
||||||
|
cp == NULL ? "" : "component ", component);
|
||||||
|
-
|
||||||
|
}
|
||||||
|
+ setenv ("TZ", "/etc/localtime", 0);
|
||||||
|
+ tzset ();
|
||||||
|
+
|
||||||
|
+ if (st.st_uid != uid)
|
||||||
|
+ ++chroot_no_tree;
|
||||||
|
|
||||||
|
if (chdir(path) == -1)
|
||||||
|
fatal("Unable to chdir to chroot path \"%s\": "
|
||||||
|
@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui
|
||||||
|
if (chdir("/") == -1)
|
||||||
|
fatal("%s: chdir(/) after chroot: %s",
|
||||||
|
__func__, strerror(errno));
|
||||||
|
+
|
||||||
|
+ if (access ("/etc/localtime", R_OK) < 0)
|
||||||
|
+ ++chroot_no_tree;
|
||||||
|
+
|
||||||
|
verbose("Changed root directory to \"%s\"", path);
|
||||||
|
}
|
||||||
|
|
||||||
|
--- openssh-5.2p1/sftp.c
|
||||||
|
+++ openssh-5.2p1/sftp.c
|
||||||
|
@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
|
||||||
|
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
|
+int chroot_no_tree = 0;
|
||||||
|
+
|
||||||
|
/* Separators for interactive commands */
|
||||||
|
#define WHITESPACE " \t\r\n"
|
||||||
|
|
||||||
|
--- openssh-5.2p1/sftp-common.c
|
||||||
|
+++ openssh-5.2p1/sftp-common.c
|
||||||
|
@@ -40,6 +40,7 @@
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "buffer.h"
|
||||||
|
#include "log.h"
|
||||||
|
+#include "chrootenv.h"
|
||||||
|
|
||||||
|
#include "sftp.h"
|
||||||
|
#include "sftp-common.h"
|
||||||
|
@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s
|
||||||
|
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
|
||||||
|
|
||||||
|
strmode(st->st_mode, mode);
|
||||||
|
- if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
|
||||||
|
+ if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) {
|
||||||
|
user = pw->pw_name;
|
||||||
|
} else {
|
||||||
|
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
|
||||||
|
user = ubuf;
|
||||||
|
}
|
||||||
|
- if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
|
||||||
|
+ if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) {
|
||||||
|
group = gr->gr_name;
|
||||||
|
} else {
|
||||||
|
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
||||||
|
--- openssh-5.2p1/sftp-server-main.c
|
||||||
|
+++ openssh-5.2p1/sftp-server-main.c
|
||||||
|
@@ -22,11 +22,14 @@
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <time.h>
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
#include "sftp.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
|
+int chroot_no_tree = 0;
|
||||||
|
+
|
||||||
|
void
|
||||||
|
cleanup_exit(int i)
|
||||||
|
{
|
@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
|
|||||||
License: BSD 3-clause (or similar)
|
License: BSD 3-clause (or similar)
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Version: 5.2p1
|
Version: 5.2p1
|
||||||
Release: 6
|
Release: 7
|
||||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz
|
||||||
|
|
||||||
|
- make sftp in chroot users life easier (ie. bnc#518238),
|
||||||
|
many thanks jchadima@redhat.com for a patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Jul 12 21:43:21 CEST 2009 - coolo@novell.com
|
Sun Jul 12 21:43:21 CEST 2009 - coolo@novell.com
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr
|
|||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Version: 5.2p1
|
Version: 5.2p1
|
||||||
Release: 6
|
Release: 7
|
||||||
%define xversion 1.2.4.1
|
%define xversion 1.2.4.1
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
Url: http://www.openssh.com/
|
Url: http://www.openssh.com/
|
||||||
@ -71,6 +71,7 @@ Patch44: %{name}-%{version}-audit.patch
|
|||||||
Patch45: %{name}-%{version}-pts.diff
|
Patch45: %{name}-%{version}-pts.diff
|
||||||
Patch46: %{name}-%{version}-pam-fix4.diff
|
Patch46: %{name}-%{version}-pam-fix4.diff
|
||||||
Patch48: %{name}-%{version}-forwards.diff
|
Patch48: %{name}-%{version}-forwards.diff
|
||||||
|
Patch49: %{name}-%{version}-homechroot.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%package askpass
|
%package askpass
|
||||||
@ -162,6 +163,7 @@ Authors:
|
|||||||
%patch45
|
%patch45
|
||||||
%patch46 -p1
|
%patch46 -p1
|
||||||
%patch48
|
%patch48
|
||||||
|
%patch49 -p1
|
||||||
cp -v %{SOURCE4} .
|
cp -v %{SOURCE4} .
|
||||||
cp -v %{SOURCE6} .
|
cp -v %{SOURCE6} .
|
||||||
cd ../x11-ssh-askpass-%{xversion}
|
cd ../x11-ssh-askpass-%{xversion}
|
||||||
|
Loading…
Reference in New Issue
Block a user