diff --git a/openssh-4.7p1-pam_session_close.diff b/openssh-4.7p1-pam_session_close.diff new file mode 100644 index 0000000..f526a36 --- /dev/null +++ b/openssh-4.7p1-pam_session_close.diff @@ -0,0 +1,129 @@ +--- auth-pam.c ++++ auth-pam.c +@@ -598,15 +598,17 @@ + void + sshpam_cleanup(void) + { +- debug("PAM: cleanup"); +- if (sshpam_handle == NULL) ++ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) + return; ++ debug("PAM: cleanup"); + pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { ++ debug("PAM: deleting credentials"); + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { ++ debug("PAM: closing session"); + pam_close_session(sshpam_handle, PAM_SILENT); + sshpam_session_open = 0; + } +--- monitor.c ++++ monitor.c +@@ -1546,6 +1546,11 @@ + /* The child is terminating */ + session_destroy_all(&mm_session_close); + ++#ifdef USE_PAM ++ if (options.use_pam) ++ sshpam_cleanup(); ++#endif ++ + while (waitpid(pmonitor->m_pid, &status, 0) == -1) + if (errno != EINTR) + exit(1); +--- session.c ++++ session.c +@@ -422,11 +422,6 @@ + + session_proctitle(s); + +-#if defined(USE_PAM) +- if (options.use_pam && !use_privsep) +- do_pam_setcred(1); +-#endif /* USE_PAM */ +- + /* Fork the child. */ + if ((pid = fork()) == 0) { + is_child = 1; +@@ -557,14 +552,6 @@ + ptyfd = s->ptyfd; + ttyfd = s->ttyfd; + +-#if defined(USE_PAM) +- if (options.use_pam) { +- do_pam_set_tty(s->tty); +- if (!use_privsep) +- do_pam_setcred(1); +- } +-#endif +- + /* Fork the child. */ + if ((pid = fork()) == 0) { + is_child = 1; +@@ -1310,16 +1297,8 @@ + # ifdef __bsdi__ + setpgid(0, 0); + # endif +-#ifdef GSSAPI +- if (options.gss_authentication) { +- temporarily_use_uid(pw); +- ssh_gssapi_storecreds(); +- restore_uid(); +- } +-#endif + # ifdef USE_PAM + if (options.use_pam) { +- do_pam_session(); + do_pam_setcred(use_privsep); + } + # endif /* USE_PAM */ +@@ -1347,13 +1326,6 @@ + exit(1); + } + endgrent(); +-#ifdef GSSAPI +- if (options.gss_authentication) { +- temporarily_use_uid(pw); +- ssh_gssapi_storecreds(); +- restore_uid(); +- } +-#endif + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. +@@ -1361,7 +1333,6 @@ + * Reestablish them here. + */ + if (options.use_pam) { +- do_pam_session(); + do_pam_setcred(use_privsep); + } + # endif /* USE_PAM */ +--- sshd.c ++++ sshd.c +@@ -1899,7 +1899,21 @@ + audit_event(SSH_AUTH_SUCCESS); + #endif + +- /* ++#ifdef GSSAPI ++ if (options.gss_authentication) { ++ temporarily_use_uid(authctxt->pw); ++ ssh_gssapi_storecreds(); ++ restore_uid(); ++ } ++#endif ++#ifdef USE_PAM ++ if (options.use_pam) { ++ do_pam_setcred(1); ++ do_pam_session(); ++ } ++#endif ++ ++ /* + * In privilege separation, we fork another child and prepare + * file descriptor passing. + */ diff --git a/openssh-4.7p1-pwname-home.diff b/openssh-4.7p1-pwname-home.diff deleted file mode 100644 index 1e860db..0000000 --- a/openssh-4.7p1-pwname-home.diff +++ /dev/null @@ -1,62 +0,0 @@ ---- openssh-4.6p1/misc.c -+++ openssh-4.6p1/misc.c -@@ -186,6 +186,29 @@ - return (old); - } - -+struct passwd *getpwuid_wh(uid_t uid) { -+ /* Return the password structure by lookup of the username in $ENV{USER}, -+ but only when the UID matches a lookup-by-uid so as to not allow using -+ another users' .ssh files in case this function be used in superuser -+ context. */ -+ -+ const char *user = getenv("USER"); -+ struct passwd *pe_nam, *pe_uid; -+ -+ if(user == NULL || (pe_nam = getpwnam(user)) == NULL) { -+ return getpwuid(uid); -+ } -+ -+ pe_nam = pwcopy(pe_nam); -+ if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) { -+ free(pe_nam); -+ return pe_uid; -+ } -+ -+ free(pe_nam); // - need to return a non-pwcopy struct -+ return getpwnam(user); -+} -+ - struct passwd * - pwcopy(struct passwd *pw) - { -@@ -524,7 +547,7 @@ - user[slash] = '\0'; - if ((pw = getpwnam(user)) == NULL) - fatal("tilde_expand_filename: No such user %s", user); -- } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ -+ } else if ((pw = getpwuid_wh(uid)) == NULL) /* ~/path */ - fatal("tilde_expand_filename: No such uid %d", uid); - - if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) ---- openssh-4.6p1/misc.h -+++ openssh-4.6p1/misc.h -@@ -34,6 +34,7 @@ - char *tohex(const void *, size_t); - void sanitise_stdfd(void); - -+struct passwd *getpwuid_wh(uid_t); - struct passwd *pwcopy(struct passwd *); - - typedef struct arglist arglist; ---- openssh-4.6p1/ssh.c -+++ openssh-4.6p1/ssh.c -@@ -249,7 +249,7 @@ - } - #endif - /* Get user data. */ -- pw = getpwuid(original_real_uid); -+ pw = getpwuid_wh(original_real_uid); - if (!pw) { - logit("You don't exist, go away!"); - exit(255); diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index c839114..597016a 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -15,7 +15,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev License: BSD 3-Clause Group: Productivity/Networking/SSH Version: 4.7p1 -Release: 3 +Release: 5 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index 058fadb..5eb34cd 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sat Dec 15 00:10:13 CET 2007 - anicka@suse.cz + +- add patch calling pam with root privileges [#334559] +- drop pwname-home patch [#104773] + ------------------------------------------------------------------- Fri Dec 7 22:28:40 CET 2007 - anicka@suse.cz diff --git a/openssh.spec b/openssh.spec index 6faf07d..e02c623 100644 --- a/openssh.spec +++ b/openssh.spec @@ -29,7 +29,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr Conflicts: nonfreessh AutoReqProv: on Version: 4.7p1 -Release: 3 +Release: 5 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -57,12 +57,12 @@ Patch28: %{name}-%{version}-blocksigalrm.diff Patch35: %{name}-%{version}-send_locale.diff Patch36: %{name}-%{version}-xauthlocalhostname.diff Patch37: %{name}-%{version}-tmpdir.diff -Patch38: %{name}-%{version}-pwname-home.diff Patch40: %{name}-%{version}-xauth.diff Patch41: %{name}-%{version}-gcc-fix.patch Patch42: %{name}-gssapi_krb5-fix.patch Patch43: %{name}-%{version}-default-protocol.diff Patch44: %{name}-%{version}-audit.patch +Patch45: %{name}-%{version}-pam_session_close.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -148,12 +148,12 @@ Authors: %patch35 %patch36 %patch37 -%patch38 -p1 %patch40 %patch41 %patch42 %patch43 %patch44 -p1 +%patch45 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion} @@ -296,6 +296,9 @@ rm -rf $RPM_BUILD_ROOT %config %_appdefdir/SshAskpass %changelog +* Sat Dec 15 2007 - anicka@suse.cz +- add patch calling pam with root privileges [#334559] +- drop pwname-home patch [#104773] * Fri Dec 07 2007 - anicka@suse.cz - fix race condition in xauth patch * Wed Dec 05 2007 - anicka@suse.cz