From 15cde4354f0bd343c0a3ab75589e58a5633840a9de1b63f6fe4ebbab9ff32dd1 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 21 Sep 2009 19:22:05 +0000 Subject: [PATCH] Accepting request 20661 from Base:System Copy from Base:System/openssh based on submit request 20661 from user anicka OBS-URL: https://build.opensuse.org/request/show/20661 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=32 --- openssh-5.2p1-homechroot.patch | 141 ++++++++++++++++++++++++++++----- openssh-askpass-gnome.spec | 2 +- openssh.changes | 7 ++ openssh.spec | 6 +- 4 files changed, 131 insertions(+), 25 deletions(-) diff --git a/openssh-5.2p1-homechroot.patch b/openssh-5.2p1-homechroot.patch index 7aeeab1..8899fa3 100644 --- a/openssh-5.2p1-homechroot.patch +++ b/openssh-5.2p1-homechroot.patch @@ -1,5 +1,5 @@ -+++ openssh-5.2p1/chrootenv.h -+++ openssh-5.2p1/chrootenv.h +--- chrootenv.h ++++ chrootenv.h @@ -0,0 +1,32 @@ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ + @@ -33,8 +33,8 @@ + +#endif + ---- openssh-5.2p1/session.c -+++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200 +--- session.c ++++ session.c @@ -119,6 +119,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); @@ -56,7 +56,71 @@ #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); -@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1399,6 +1406,63 @@ do_nologin(struct passwd *pw) + } + + /* ++ * Test if filesystem is mounted nosuid and nodev ++ */ ++ ++static void ++test_nosuid (char * path, dev_t fs) ++{ ++ FILE *f; ++ struct stat st; ++ char buf[4096], *s, *on, *mountpoint, *opt; ++ int nodev, nosuid; ++ ++ if (!(f = popen ("/bin/mount", "r"))) ++ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s", ++ __func__, strerror (errno)); ++ for (;;) { ++ s = fgets (buf, sizeof (buf), f); ++ if (ferror (f)) ++ fatal ("%s: read from popen: %s", __func__, ++ strerror (errno)); ++ if (!s) { ++ pclose (f); ++ fatal ("cannot found filesystem with the chroot directory"); ++ } ++ (void) strtok (buf, " "); ++ on = strtok (NULL, " "); ++ if (strcmp (on, "on")) { ++ pclose (f); ++ fatal ("bad format of mount output"); ++ } ++ mountpoint = strtok (NULL, " "); ++ if (memcmp (path, mountpoint, strlen (mountpoint))) ++ continue; ++ if (stat(mountpoint, &st) != 0) { ++ pclose (f); ++ fatal("%s: stat(\"%s\"): %s", __func__, ++ mountpoint, strerror(errno)); ++ } ++ if (fs != st.st_dev) ++ continue; ++ nodev = nosuid = 0; ++ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) { ++ if (!strcmp (opt, "nodev")) ++ nodev = 1; ++ else if (!strcmp (opt, "nosuid")) ++ nosuid = 1; ++ else if (!strcmp (opt, "noexec")) ++ nosuid = 1; ++ if (nodev && nosuid) { ++ pclose (f); ++ return; ++ } ++ } ++ fatal ("chroot into directory without nodev or nosuid"); ++ } ++} ++ ++/* + * Chroot into a directory after checking it for safety: all path components + * must be root-owned directories with strict permissions. + */ +@@ -1408,6 +1472,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; @@ -64,7 +128,7 @@ if (*path != '/') fatal("chroot path does not begin at root"); -@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1419,7 +1484,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { @@ -73,7 +137,7 @@ strlcpy(component, path, sizeof(component)); else { cp++; -@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui +@@ -1432,14 +1497,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); @@ -85,29 +149,29 @@ if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); -- - } ++ } + setenv ("TZ", "/etc/localtime", 0); + tzset (); -+ -+ if (st.st_uid != uid) + ++ if (st.st_uid) { ++ test_nosuid (path, st.st_dev); + ++chroot_no_tree; + } if (chdir(path) == -1) - fatal("Unable to chdir to chroot path \"%s\": " -@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui +@@ -1451,6 +1522,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); + + if (access ("/etc/localtime", R_OK) < 0) -+ ++chroot_no_tree; ++ ++chroot_no_tree; + verbose("Changed root directory to \"%s\"", path); } ---- openssh-5.2p1/sftp.c -+++ openssh-5.2p1/sftp.c +--- sftp.c ++++ sftp.c @@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons extern char *__progname; @@ -117,8 +181,8 @@ /* Separators for interactive commands */ #define WHITESPACE " \t\r\n" ---- openssh-5.2p1/sftp-common.c -+++ openssh-5.2p1/sftp-common.c +--- sftp-common.c ++++ sftp-common.c @@ -40,6 +40,7 @@ #include "xmalloc.h" #include "buffer.h" @@ -143,8 +207,8 @@ group = gr->gr_name; } else { snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); ---- openssh-5.2p1/sftp-server-main.c -+++ openssh-5.2p1/sftp-server-main.c +--- sftp-server-main.c ++++ sftp-server-main.c @@ -22,11 +22,14 @@ #include #include @@ -160,3 +224,40 @@ void cleanup_exit(int i) { +--- sshd_config.0 ++++ sshd_config.0 +@@ -112,6 +112,14 @@ DESCRIPTION + essary if the in-process sftp server is used (see Subsystem for + details). + ++ In the special case when only sftp is used, not ssh nor scp, it ++ is possible to use ChrootDirectory %h or ChrootDirectory ++ /some/path/%u. The file system containing this directory must be ++ mounted with options nodev and either nosuid or noexec. The owner ++ of the directory should be the user. The ownership of the other ++ components of the path must fulfill the usual conditions. No adi- ++ tional files are required to be present in the directory. ++ + The default is not to chroot(2). + + Ciphers +--- sshd_config.5 ++++ sshd_config.5 +@@ -219,6 +219,17 @@ in-process sftp server is used (see + .Cm Subsystem + for details). + .Pp ++In the special case when only sftp is used, not ssh nor scp, ++it is possible to use ++.Cm ChrootDirectory ++%h or ++.Cm ChrootDirectory ++/some/path/%u. The file system containing this directory must be ++mounted with options nodev and either nosuid or noexec. The owner of the ++directory should be the user. The ownership of the other components of the path ++must fulfill the usual conditions. No aditional files are required to be present ++in the directory. ++.Pp + The default is not to + .Xr chroot 2 . + .It Cm Ciphers diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 9e3c0cf..cdaad47 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev License: BSD 3-clause (or similar) Group: Productivity/Networking/SSH Version: 5.2p1 -Release: 7 +Release: 8 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index 27bc2ef..42e688d 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Sep 21 14:40:51 CEST 2009 - anicka@suse.cz + +- add new version of homechroot patch (added documentation, added + check for nodev and nosuid) +- remove Provides and Obsoletes ssh + ------------------------------------------------------------------- Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz diff --git a/openssh.spec b/openssh.spec index e9e7d23..2048589 100644 --- a/openssh.spec +++ b/openssh.spec @@ -31,14 +31,12 @@ BuildRequires: audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd BuildRequires: libselinux-devel License: BSD 3-clause (or similar) ; MIT License (or similar) Group: Productivity/Networking/SSH -Obsoletes: ssh -Provides: ssh Requires: /bin/netstat PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions Conflicts: nonfreessh AutoReqProv: on Version: 5.2p1 -Release: 7 +Release: 8 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -163,7 +161,7 @@ Authors: %patch45 %patch46 -p1 %patch48 -%patch49 -p1 +%patch49 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion}