Accepting request 20661 from Base:System
Copy from Base:System/openssh based on submit request 20661 from user anicka OBS-URL: https://build.opensuse.org/request/show/20661 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=32
This commit is contained in:
parent
0a76e8dc3a
commit
15cde4354f
@ -1,5 +1,5 @@
|
|||||||
+++ openssh-5.2p1/chrootenv.h
|
--- chrootenv.h
|
||||||
+++ openssh-5.2p1/chrootenv.h
|
+++ chrootenv.h
|
||||||
@@ -0,0 +1,32 @@
|
@@ -0,0 +1,32 @@
|
||||||
+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
|
+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
|
||||||
+
|
+
|
||||||
@ -33,8 +33,8 @@
|
|||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
--- openssh-5.2p1/session.c
|
--- session.c
|
||||||
+++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200
|
+++ session.c
|
||||||
@@ -119,6 +119,8 @@ void do_child(Session *, const char *);
|
@@ -119,6 +119,8 @@ void do_child(Session *, const char *);
|
||||||
void do_motd(void);
|
void do_motd(void);
|
||||||
int check_quietlogin(Session *, const char *);
|
int check_quietlogin(Session *, const char *);
|
||||||
@ -56,7 +56,71 @@
|
|||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
if (command != NULL)
|
if (command != NULL)
|
||||||
PRIVSEP(audit_run_command(command));
|
PRIVSEP(audit_run_command(command));
|
||||||
@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui
|
@@ -1399,6 +1406,63 @@ do_nologin(struct passwd *pw)
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Test if filesystem is mounted nosuid and nodev
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+test_nosuid (char * path, dev_t fs)
|
||||||
|
+{
|
||||||
|
+ FILE *f;
|
||||||
|
+ struct stat st;
|
||||||
|
+ char buf[4096], *s, *on, *mountpoint, *opt;
|
||||||
|
+ int nodev, nosuid;
|
||||||
|
+
|
||||||
|
+ if (!(f = popen ("/bin/mount", "r")))
|
||||||
|
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
|
||||||
|
+ __func__, strerror (errno));
|
||||||
|
+ for (;;) {
|
||||||
|
+ s = fgets (buf, sizeof (buf), f);
|
||||||
|
+ if (ferror (f))
|
||||||
|
+ fatal ("%s: read from popen: %s", __func__,
|
||||||
|
+ strerror (errno));
|
||||||
|
+ if (!s) {
|
||||||
|
+ pclose (f);
|
||||||
|
+ fatal ("cannot found filesystem with the chroot directory");
|
||||||
|
+ }
|
||||||
|
+ (void) strtok (buf, " ");
|
||||||
|
+ on = strtok (NULL, " ");
|
||||||
|
+ if (strcmp (on, "on")) {
|
||||||
|
+ pclose (f);
|
||||||
|
+ fatal ("bad format of mount output");
|
||||||
|
+ }
|
||||||
|
+ mountpoint = strtok (NULL, " ");
|
||||||
|
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
|
||||||
|
+ continue;
|
||||||
|
+ if (stat(mountpoint, &st) != 0) {
|
||||||
|
+ pclose (f);
|
||||||
|
+ fatal("%s: stat(\"%s\"): %s", __func__,
|
||||||
|
+ mountpoint, strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ if (fs != st.st_dev)
|
||||||
|
+ continue;
|
||||||
|
+ nodev = nosuid = 0;
|
||||||
|
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
|
||||||
|
+ if (!strcmp (opt, "nodev"))
|
||||||
|
+ nodev = 1;
|
||||||
|
+ else if (!strcmp (opt, "nosuid"))
|
||||||
|
+ nosuid = 1;
|
||||||
|
+ else if (!strcmp (opt, "noexec"))
|
||||||
|
+ nosuid = 1;
|
||||||
|
+ if (nodev && nosuid) {
|
||||||
|
+ pclose (f);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ fatal ("chroot into directory without nodev or nosuid");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Chroot into a directory after checking it for safety: all path components
|
||||||
|
* must be root-owned directories with strict permissions.
|
||||||
|
*/
|
||||||
|
@@ -1408,6 +1472,7 @@ safely_chroot(const char *path, uid_t ui
|
||||||
const char *cp;
|
const char *cp;
|
||||||
char component[MAXPATHLEN];
|
char component[MAXPATHLEN];
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@ -64,7 +128,7 @@
|
|||||||
|
|
||||||
if (*path != '/')
|
if (*path != '/')
|
||||||
fatal("chroot path does not begin at root");
|
fatal("chroot path does not begin at root");
|
||||||
@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui
|
@@ -1419,7 +1484,7 @@ safely_chroot(const char *path, uid_t ui
|
||||||
* root-owned directory with strict permissions.
|
* root-owned directory with strict permissions.
|
||||||
*/
|
*/
|
||||||
for (cp = path; cp != NULL;) {
|
for (cp = path; cp != NULL;) {
|
||||||
@ -73,7 +137,7 @@
|
|||||||
strlcpy(component, path, sizeof(component));
|
strlcpy(component, path, sizeof(component));
|
||||||
else {
|
else {
|
||||||
cp++;
|
cp++;
|
||||||
@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui
|
@@ -1432,14 +1497,20 @@ safely_chroot(const char *path, uid_t ui
|
||||||
if (stat(component, &st) != 0)
|
if (stat(component, &st) != 0)
|
||||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||||
component, strerror(errno));
|
component, strerror(errno));
|
||||||
@ -85,17 +149,17 @@
|
|||||||
if (!S_ISDIR(st.st_mode))
|
if (!S_ISDIR(st.st_mode))
|
||||||
fatal("chroot path %s\"%s\" is not a directory",
|
fatal("chroot path %s\"%s\" is not a directory",
|
||||||
cp == NULL ? "" : "component ", component);
|
cp == NULL ? "" : "component ", component);
|
||||||
-
|
+ }
|
||||||
}
|
|
||||||
+ setenv ("TZ", "/etc/localtime", 0);
|
+ setenv ("TZ", "/etc/localtime", 0);
|
||||||
+ tzset ();
|
+ tzset ();
|
||||||
+
|
|
||||||
+ if (st.st_uid != uid)
|
+ if (st.st_uid) {
|
||||||
|
+ test_nosuid (path, st.st_dev);
|
||||||
+ ++chroot_no_tree;
|
+ ++chroot_no_tree;
|
||||||
|
}
|
||||||
|
|
||||||
if (chdir(path) == -1)
|
if (chdir(path) == -1)
|
||||||
fatal("Unable to chdir to chroot path \"%s\": "
|
@@ -1451,6 +1522,10 @@ safely_chroot(const char *path, uid_t ui
|
||||||
@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui
|
|
||||||
if (chdir("/") == -1)
|
if (chdir("/") == -1)
|
||||||
fatal("%s: chdir(/) after chroot: %s",
|
fatal("%s: chdir(/) after chroot: %s",
|
||||||
__func__, strerror(errno));
|
__func__, strerror(errno));
|
||||||
@ -106,8 +170,8 @@
|
|||||||
verbose("Changed root directory to \"%s\"", path);
|
verbose("Changed root directory to \"%s\"", path);
|
||||||
}
|
}
|
||||||
|
|
||||||
--- openssh-5.2p1/sftp.c
|
--- sftp.c
|
||||||
+++ openssh-5.2p1/sftp.c
|
+++ sftp.c
|
||||||
@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
|
@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
|
||||||
|
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
@ -117,8 +181,8 @@
|
|||||||
/* Separators for interactive commands */
|
/* Separators for interactive commands */
|
||||||
#define WHITESPACE " \t\r\n"
|
#define WHITESPACE " \t\r\n"
|
||||||
|
|
||||||
--- openssh-5.2p1/sftp-common.c
|
--- sftp-common.c
|
||||||
+++ openssh-5.2p1/sftp-common.c
|
+++ sftp-common.c
|
||||||
@@ -40,6 +40,7 @@
|
@@ -40,6 +40,7 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
@ -143,8 +207,8 @@
|
|||||||
group = gr->gr_name;
|
group = gr->gr_name;
|
||||||
} else {
|
} else {
|
||||||
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
||||||
--- openssh-5.2p1/sftp-server-main.c
|
--- sftp-server-main.c
|
||||||
+++ openssh-5.2p1/sftp-server-main.c
|
+++ sftp-server-main.c
|
||||||
@@ -22,11 +22,14 @@
|
@@ -22,11 +22,14 @@
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -160,3 +224,40 @@
|
|||||||
void
|
void
|
||||||
cleanup_exit(int i)
|
cleanup_exit(int i)
|
||||||
{
|
{
|
||||||
|
--- sshd_config.0
|
||||||
|
+++ sshd_config.0
|
||||||
|
@@ -112,6 +112,14 @@ DESCRIPTION
|
||||||
|
essary if the in-process sftp server is used (see Subsystem for
|
||||||
|
details).
|
||||||
|
|
||||||
|
+ In the special case when only sftp is used, not ssh nor scp, it
|
||||||
|
+ is possible to use ChrootDirectory %h or ChrootDirectory
|
||||||
|
+ /some/path/%u. The file system containing this directory must be
|
||||||
|
+ mounted with options nodev and either nosuid or noexec. The owner
|
||||||
|
+ of the directory should be the user. The ownership of the other
|
||||||
|
+ components of the path must fulfill the usual conditions. No adi-
|
||||||
|
+ tional files are required to be present in the directory.
|
||||||
|
+
|
||||||
|
The default is not to chroot(2).
|
||||||
|
|
||||||
|
Ciphers
|
||||||
|
--- sshd_config.5
|
||||||
|
+++ sshd_config.5
|
||||||
|
@@ -219,6 +219,17 @@ in-process sftp server is used (see
|
||||||
|
.Cm Subsystem
|
||||||
|
for details).
|
||||||
|
.Pp
|
||||||
|
+In the special case when only sftp is used, not ssh nor scp,
|
||||||
|
+it is possible to use
|
||||||
|
+.Cm ChrootDirectory
|
||||||
|
+%h or
|
||||||
|
+.Cm ChrootDirectory
|
||||||
|
+/some/path/%u. The file system containing this directory must be
|
||||||
|
+mounted with options nodev and either nosuid or noexec. The owner of the
|
||||||
|
+directory should be the user. The ownership of the other components of the path
|
||||||
|
+must fulfill the usual conditions. No aditional files are required to be present
|
||||||
|
+in the directory.
|
||||||
|
+.Pp
|
||||||
|
The default is not to
|
||||||
|
.Xr chroot 2 .
|
||||||
|
.It Cm Ciphers
|
||||||
|
@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
|
|||||||
License: BSD 3-clause (or similar)
|
License: BSD 3-clause (or similar)
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Version: 5.2p1
|
Version: 5.2p1
|
||||||
Release: 7
|
Release: 8
|
||||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 21 14:40:51 CEST 2009 - anicka@suse.cz
|
||||||
|
|
||||||
|
- add new version of homechroot patch (added documentation, added
|
||||||
|
check for nodev and nosuid)
|
||||||
|
- remove Provides and Obsoletes ssh
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz
|
Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz
|
||||||
|
|
||||||
|
@ -31,14 +31,12 @@ BuildRequires: audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd
|
|||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
License: BSD 3-clause (or similar) ; MIT License (or similar)
|
License: BSD 3-clause (or similar) ; MIT License (or similar)
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Obsoletes: ssh
|
|
||||||
Provides: ssh
|
|
||||||
Requires: /bin/netstat
|
Requires: /bin/netstat
|
||||||
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Version: 5.2p1
|
Version: 5.2p1
|
||||||
Release: 7
|
Release: 8
|
||||||
%define xversion 1.2.4.1
|
%define xversion 1.2.4.1
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
Url: http://www.openssh.com/
|
Url: http://www.openssh.com/
|
||||||
@ -163,7 +161,7 @@ Authors:
|
|||||||
%patch45
|
%patch45
|
||||||
%patch46 -p1
|
%patch46 -p1
|
||||||
%patch48
|
%patch48
|
||||||
%patch49 -p1
|
%patch49
|
||||||
cp -v %{SOURCE4} .
|
cp -v %{SOURCE4} .
|
||||||
cp -v %{SOURCE6} .
|
cp -v %{SOURCE6} .
|
||||||
cd ../x11-ssh-askpass-%{xversion}
|
cd ../x11-ssh-askpass-%{xversion}
|
||||||
|
Loading…
Reference in New Issue
Block a user