OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=14

2007-12-17 12:03:36 +00:00 · 2007-12-17 12:03:36 +00:00 · 97aa80753c
commit 97aa80753c
parent b8d4e6c1d8
5 changed files with 142 additions and 66 deletions
--- a/openssh-4.7p1-pam_session_close.diff
+++ b/openssh-4.7p1-pam_session_close.diff
@ -0,0 +1,129 @@
+--- auth-pam.c
+++ auth-pam.c
+@@ -598,15 +598,17 @@
+ void
+ sshpam_cleanup(void)
+ {
+-	debug("PAM: cleanup");
+-	if (sshpam_handle == NULL)
+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
+ 		return;
+	debug("PAM: cleanup");
+ 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
+ 	if (sshpam_cred_established) {
+		debug("PAM: deleting credentials");
+ 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+ 		sshpam_cred_established = 0;
+ 	}
+ 	if (sshpam_session_open) {
+		debug("PAM: closing session");
+ 		pam_close_session(sshpam_handle, PAM_SILENT);
+ 		sshpam_session_open = 0;
+ 	}
+--- monitor.c
+++ monitor.c
+@@ -1546,6 +1546,11 @@
+ 	/* The child is terminating */
+ 	session_destroy_all(&mm_session_close);
+ 
+#ifdef USE_PAM
+	if (options.use_pam)
+		sshpam_cleanup();
+#endif
+
+ 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
+ 		if (errno != EINTR)
+ 			exit(1);
+--- session.c
+++ session.c
+@@ -422,11 +422,6 @@
+ 
+ 	session_proctitle(s);
+ 
+-#if defined(USE_PAM)
+-	if (options.use_pam && !use_privsep)
+-		do_pam_setcred(1);
+-#endif /* USE_PAM */
+-
+ 	/* Fork the child. */
+ 	if ((pid = fork()) == 0) {
+ 		is_child = 1;
+@@ -557,14 +552,6 @@
+ 	ptyfd = s->ptyfd;
+ 	ttyfd = s->ttyfd;
+ 
+-#if defined(USE_PAM)
+-	if (options.use_pam) {
+-		do_pam_set_tty(s->tty);
+-		if (!use_privsep)
+-			do_pam_setcred(1);
+-	}
+-#endif
+-
+ 	/* Fork the child. */
+ 	if ((pid = fork()) == 0) {
+ 		is_child = 1;
+@@ -1310,16 +1297,8 @@
+ # ifdef __bsdi__
+ 		setpgid(0, 0);
+ # endif
+-#ifdef GSSAPI
+-		if (options.gss_authentication) {
+-			temporarily_use_uid(pw);
+-			ssh_gssapi_storecreds();
+-			restore_uid();
+-		}
+-#endif
+ # ifdef USE_PAM
+ 		if (options.use_pam) {
+-			do_pam_session();
+ 			do_pam_setcred(use_privsep);
+ 		}
+ # endif /* USE_PAM */
+@@ -1347,13 +1326,6 @@
+ 			exit(1);
+ 		}
+ 		endgrent();
+-#ifdef GSSAPI
+-		if (options.gss_authentication) {
+-			temporarily_use_uid(pw);
+-			ssh_gssapi_storecreds();
+-			restore_uid();
+-		}
+-#endif
+ # ifdef USE_PAM
+ 		/*
+ 		 * PAM credentials may take the form of supplementary groups.
+@@ -1361,7 +1333,6 @@
+ 		 * Reestablish them here.
+ 		 */
+ 		if (options.use_pam) {
+-			do_pam_session();
+ 			do_pam_setcred(use_privsep);
+ 		}
+ # endif /* USE_PAM */
+--- sshd.c
+++ sshd.c
+@@ -1899,7 +1899,21 @@
+ 	audit_event(SSH_AUTH_SUCCESS);
+ #endif
+ 
+-	/*
+#ifdef GSSAPI
+	if (options.gss_authentication) {
+		temporarily_use_uid(authctxt->pw);
+		ssh_gssapi_storecreds();
+		restore_uid();
+	}
+#endif
+#ifdef USE_PAM
+	if (options.use_pam) {
+		do_pam_setcred(1);
+		do_pam_session();
+	}
+#endif
+
+ 	/*
+ 	 * In privilege separation, we fork another child and prepare
+ 	 * file descriptor passing.
+ 	 */
--- a/openssh-4.7p1-pwname-home.diff
+++ b/openssh-4.7p1-pwname-home.diff
@ -1,62 +0,0 @@
--- openssh-4.6p1/misc.c
-+++ openssh-4.6p1/misc.c
-@@ -186,6 +186,29 @@
- 	return (old);
- }
- 
-+struct passwd *getpwuid_wh(uid_t uid) {
-+    /* Return the password structure by lookup of the username in $ENV{USER},
-+    but only when the UID matches a lookup-by-uid so as to not allow using
-+    another users' .ssh files in case this function be used in superuser
-+    context. */
-+
-+    const char *user = getenv("USER");
-+    struct passwd *pe_nam, *pe_uid;
-+
-+    if(user == NULL || (pe_nam = getpwnam(user)) == NULL) {
-+        return getpwuid(uid);
-+    }
-+
-+    pe_nam = pwcopy(pe_nam);
-+    if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) {
-+        free(pe_nam);
-+        return pe_uid;
-+    }
-+
-+    free(pe_nam); // - need to return a non-pwcopy struct
-+    return getpwnam(user);
-+}
-+
- struct passwd *
- pwcopy(struct passwd *pw)
- {
-@@ -524,7 +547,7 @@
- 		user[slash] = '\0';
- 		if ((pw = getpwnam(user)) == NULL)
- 			fatal("tilde_expand_filename: No such user %s", user);
-	} else if ((pw = getpwuid(uid)) == NULL)	/* ~/path */
-+	} else if ((pw = getpwuid_wh(uid)) == NULL)	/* ~/path */
- 		fatal("tilde_expand_filename: No such uid %d", uid);
- 
- 	if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
--- openssh-4.6p1/misc.h
-+++ openssh-4.6p1/misc.h
-@@ -34,6 +34,7 @@
- char	*tohex(const void *, size_t);
- void	 sanitise_stdfd(void);
- 
-+struct passwd *getpwuid_wh(uid_t);
- struct passwd *pwcopy(struct passwd *);
- 
- typedef struct arglist arglist;
--- openssh-4.6p1/ssh.c
-+++ openssh-4.6p1/ssh.c
-@@ -249,7 +249,7 @@
- 	}
- #endif
- 	/* Get user data. */
-	pw = getpwuid(original_real_uid);
-+	pw = getpwuid_wh(original_real_uid);
- 	if (!pw) {
- 		logit("You don't exist, go away!");
- 		exit(255);
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -15,7 +15,7 @@ BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
 License:        BSD 3-Clause
 Group:          Productivity/Networking/SSH
 Version:        4.7p1
-Release:        3
+Release:        5
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Dec 15 00:10:13 CET 2007 - anicka@suse.cz
+
+- add patch calling pam with root privileges [#334559]
+- drop pwname-home patch [#104773]
+
 -------------------------------------------------------------------
 Fri Dec  7 22:28:40 CET 2007 - anicka@suse.cz

--- a/openssh.spec
+++ b/openssh.spec
@ -29,7 +29,7 @@ PreReq:         /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq  %fillup_pr
 Conflicts:      nonfreessh
 AutoReqProv:    on
 Version:        4.7p1
-Release:        3
+Release:        5
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@ -57,12 +57,12 @@ Patch28:        %{name}-%{version}-blocksigalrm.diff
 Patch35:        %{name}-%{version}-send_locale.diff
 Patch36:        %{name}-%{version}-xauthlocalhostname.diff
 Patch37:        %{name}-%{version}-tmpdir.diff
-Patch38:        %{name}-%{version}-pwname-home.diff
 Patch40:        %{name}-%{version}-xauth.diff
 Patch41:        %{name}-%{version}-gcc-fix.patch
 Patch42:        %{name}-gssapi_krb5-fix.patch
 Patch43:        %{name}-%{version}-default-protocol.diff
 Patch44:        %{name}-%{version}-audit.patch
+Patch45:        %{name}-%{version}-pam_session_close.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %package      askpass
@ -148,12 +148,12 @@ Authors:
 %patch35
 %patch36
 %patch37
-%patch38 -p1
 %patch40
 %patch41
 %patch42
 %patch43
 %patch44 -p1
+%patch45
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}
@ -296,6 +296,9 @@ rm -rf $RPM_BUILD_ROOT
 %config %_appdefdir/SshAskpass

 %changelog
+* Sat Dec 15 2007 - anicka@suse.cz
+- add patch calling pam with root privileges [#334559]
+- drop pwname-home patch [#104773]
 * Fri Dec 07 2007 - anicka@suse.cz
 - fix race condition in xauth patch
 * Wed Dec 05 2007 - anicka@suse.cz