Accepting request 20661 from Base:System

Copy from Base:System/openssh based on submit request 20661 from user anicka

OBS-URL: https://build.opensuse.org/request/show/20661
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=32
This commit is contained in:
OBS User autobuild 2009-09-21 19:22:05 +00:00 committed by Git OBS Bridge
parent 0a76e8dc3a
commit 15cde4354f
4 changed files with 131 additions and 25 deletions

View File

@ -1,5 +1,5 @@
+++ openssh-5.2p1/chrootenv.h --- chrootenv.h
+++ openssh-5.2p1/chrootenv.h +++ chrootenv.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
+ +
@ -33,8 +33,8 @@
+ +
+#endif +#endif
+ +
--- openssh-5.2p1/session.c --- session.c
+++ openssh-5.2p1/session.c 2009-07-24 07:33:14.000000000 +0200 +++ session.c
@@ -119,6 +119,8 @@ void do_child(Session *, const char *); @@ -119,6 +119,8 @@ void do_child(Session *, const char *);
void do_motd(void); void do_motd(void);
int check_quietlogin(Session *, const char *); int check_quietlogin(Session *, const char *);
@ -56,7 +56,71 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (command != NULL) if (command != NULL)
PRIVSEP(audit_run_command(command)); PRIVSEP(audit_run_command(command));
@@ -1408,6 +1415,7 @@ safely_chroot(const char *path, uid_t ui @@ -1399,6 +1406,63 @@ do_nologin(struct passwd *pw)
}
/*
+ * Test if filesystem is mounted nosuid and nodev
+ */
+
+static void
+test_nosuid (char * path, dev_t fs)
+{
+ FILE *f;
+ struct stat st;
+ char buf[4096], *s, *on, *mountpoint, *opt;
+ int nodev, nosuid;
+
+ if (!(f = popen ("/bin/mount", "r")))
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
+ __func__, strerror (errno));
+ for (;;) {
+ s = fgets (buf, sizeof (buf), f);
+ if (ferror (f))
+ fatal ("%s: read from popen: %s", __func__,
+ strerror (errno));
+ if (!s) {
+ pclose (f);
+ fatal ("cannot found filesystem with the chroot directory");
+ }
+ (void) strtok (buf, " ");
+ on = strtok (NULL, " ");
+ if (strcmp (on, "on")) {
+ pclose (f);
+ fatal ("bad format of mount output");
+ }
+ mountpoint = strtok (NULL, " ");
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
+ continue;
+ if (stat(mountpoint, &st) != 0) {
+ pclose (f);
+ fatal("%s: stat(\"%s\"): %s", __func__,
+ mountpoint, strerror(errno));
+ }
+ if (fs != st.st_dev)
+ continue;
+ nodev = nosuid = 0;
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
+ if (!strcmp (opt, "nodev"))
+ nodev = 1;
+ else if (!strcmp (opt, "nosuid"))
+ nosuid = 1;
+ else if (!strcmp (opt, "noexec"))
+ nosuid = 1;
+ if (nodev && nosuid) {
+ pclose (f);
+ return;
+ }
+ }
+ fatal ("chroot into directory without nodev or nosuid");
+ }
+}
+
+/*
* Chroot into a directory after checking it for safety: all path components
* must be root-owned directories with strict permissions.
*/
@@ -1408,6 +1472,7 @@ safely_chroot(const char *path, uid_t ui
const char *cp; const char *cp;
char component[MAXPATHLEN]; char component[MAXPATHLEN];
struct stat st; struct stat st;
@ -64,7 +128,7 @@
if (*path != '/') if (*path != '/')
fatal("chroot path does not begin at root"); fatal("chroot path does not begin at root");
@@ -1419,7 +1427,7 @@ safely_chroot(const char *path, uid_t ui @@ -1419,7 +1484,7 @@ safely_chroot(const char *path, uid_t ui
* root-owned directory with strict permissions. * root-owned directory with strict permissions.
*/ */
for (cp = path; cp != NULL;) { for (cp = path; cp != NULL;) {
@ -73,7 +137,7 @@
strlcpy(component, path, sizeof(component)); strlcpy(component, path, sizeof(component));
else { else {
cp++; cp++;
@@ -1432,15 +1440,19 @@ safely_chroot(const char *path, uid_t ui @@ -1432,14 +1497,20 @@ safely_chroot(const char *path, uid_t ui
if (stat(component, &st) != 0) if (stat(component, &st) != 0)
fatal("%s: stat(\"%s\"): %s", __func__, fatal("%s: stat(\"%s\"): %s", __func__,
component, strerror(errno)); component, strerror(errno));
@ -85,29 +149,29 @@
if (!S_ISDIR(st.st_mode)) if (!S_ISDIR(st.st_mode))
fatal("chroot path %s\"%s\" is not a directory", fatal("chroot path %s\"%s\" is not a directory",
cp == NULL ? "" : "component ", component); cp == NULL ? "" : "component ", component);
- + }
}
+ setenv ("TZ", "/etc/localtime", 0); + setenv ("TZ", "/etc/localtime", 0);
+ tzset (); + tzset ();
+
+ if (st.st_uid != uid) + if (st.st_uid) {
+ test_nosuid (path, st.st_dev);
+ ++chroot_no_tree; + ++chroot_no_tree;
}
if (chdir(path) == -1) if (chdir(path) == -1)
fatal("Unable to chdir to chroot path \"%s\": " @@ -1451,6 +1522,10 @@ safely_chroot(const char *path, uid_t ui
@@ -1451,6 +1463,10 @@ safely_chroot(const char *path, uid_t ui
if (chdir("/") == -1) if (chdir("/") == -1)
fatal("%s: chdir(/) after chroot: %s", fatal("%s: chdir(/) after chroot: %s",
__func__, strerror(errno)); __func__, strerror(errno));
+ +
+ if (access ("/etc/localtime", R_OK) < 0) + if (access ("/etc/localtime", R_OK) < 0)
+ ++chroot_no_tree; + ++chroot_no_tree;
+ +
verbose("Changed root directory to \"%s\"", path); verbose("Changed root directory to \"%s\"", path);
} }
--- openssh-5.2p1/sftp.c --- sftp.c
+++ openssh-5.2p1/sftp.c +++ sftp.c
@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons @@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
extern char *__progname; extern char *__progname;
@ -117,8 +181,8 @@
/* Separators for interactive commands */ /* Separators for interactive commands */
#define WHITESPACE " \t\r\n" #define WHITESPACE " \t\r\n"
--- openssh-5.2p1/sftp-common.c --- sftp-common.c
+++ openssh-5.2p1/sftp-common.c +++ sftp-common.c
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "buffer.h" #include "buffer.h"
@ -143,8 +207,8 @@
group = gr->gr_name; group = gr->gr_name;
} else { } else {
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
--- openssh-5.2p1/sftp-server-main.c --- sftp-server-main.c
+++ openssh-5.2p1/sftp-server-main.c +++ sftp-server-main.c
@@ -22,11 +22,14 @@ @@ -22,11 +22,14 @@
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
@ -160,3 +224,40 @@
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
--- sshd_config.0
+++ sshd_config.0
@@ -112,6 +112,14 @@ DESCRIPTION
essary if the in-process sftp server is used (see Subsystem for
details).
+ In the special case when only sftp is used, not ssh nor scp, it
+ is possible to use ChrootDirectory %h or ChrootDirectory
+ /some/path/%u. The file system containing this directory must be
+ mounted with options nodev and either nosuid or noexec. The owner
+ of the directory should be the user. The ownership of the other
+ components of the path must fulfill the usual conditions. No adi-
+ tional files are required to be present in the directory.
+
The default is not to chroot(2).
Ciphers
--- sshd_config.5
+++ sshd_config.5
@@ -219,6 +219,17 @@ in-process sftp server is used (see
.Cm Subsystem
for details).
.Pp
+In the special case when only sftp is used, not ssh nor scp,
+it is possible to use
+.Cm ChrootDirectory
+%h or
+.Cm ChrootDirectory
+/some/path/%u. The file system containing this directory must be
+mounted with options nodev and either nosuid or noexec. The owner of the
+directory should be the user. The ownership of the other components of the path
+must fulfill the usual conditions. No aditional files are required to be present
+in the directory.
+.Pp
The default is not to
.Xr chroot 2 .
.It Cm Ciphers

View File

@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
License: BSD 3-clause (or similar) License: BSD 3-clause (or similar)
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Version: 5.2p1 Version: 5.2p1
Release: 7 Release: 8
Requires: openssh = %{version} openssh-askpass = %{version} Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Sep 21 14:40:51 CEST 2009 - anicka@suse.cz
- add new version of homechroot patch (added documentation, added
check for nodev and nosuid)
- remove Provides and Obsoletes ssh
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz Thu Aug 20 16:54:08 CEST 2009 - anicka@suse.cz

View File

@ -31,14 +31,12 @@ BuildRequires: audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
License: BSD 3-clause (or similar) ; MIT License (or similar) License: BSD 3-clause (or similar) ; MIT License (or similar)
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Obsoletes: ssh
Provides: ssh
Requires: /bin/netstat Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh Conflicts: nonfreessh
AutoReqProv: on AutoReqProv: on
Version: 5.2p1 Version: 5.2p1
Release: 7 Release: 8
%define xversion 1.2.4.1 %define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/ Url: http://www.openssh.com/
@ -163,7 +161,7 @@ Authors:
%patch45 %patch45
%patch46 -p1 %patch46 -p1
%patch48 %patch48
%patch49 -p1 %patch49
cp -v %{SOURCE4} . cp -v %{SOURCE4} .
cp -v %{SOURCE6} . cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion} cd ../x11-ssh-askpass-%{xversion}