OBS User unknown 2007-12-17 12:03:36 +00:00 committed by Git OBS Bridge
parent b8d4e6c1d8
commit 97aa80753c
5 changed files with 142 additions and 66 deletions

View File

@ -0,0 +1,129 @@
--- auth-pam.c
+++ auth-pam.c
@@ -598,15 +598,17 @@
void
sshpam_cleanup(void)
{
- debug("PAM: cleanup");
- if (sshpam_handle == NULL)
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
return;
+ debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
if (sshpam_cred_established) {
+ debug("PAM: deleting credentials");
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
sshpam_cred_established = 0;
}
if (sshpam_session_open) {
+ debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
--- monitor.c
+++ monitor.c
@@ -1546,6 +1546,11 @@
/* The child is terminating */
session_destroy_all(&mm_session_close);
+#ifdef USE_PAM
+ if (options.use_pam)
+ sshpam_cleanup();
+#endif
+
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
--- session.c
+++ session.c
@@ -422,11 +422,6 @@
session_proctitle(s);
-#if defined(USE_PAM)
- if (options.use_pam && !use_privsep)
- do_pam_setcred(1);
-#endif /* USE_PAM */
-
/* Fork the child. */
if ((pid = fork()) == 0) {
is_child = 1;
@@ -557,14 +552,6 @@
ptyfd = s->ptyfd;
ttyfd = s->ttyfd;
-#if defined(USE_PAM)
- if (options.use_pam) {
- do_pam_set_tty(s->tty);
- if (!use_privsep)
- do_pam_setcred(1);
- }
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
is_child = 1;
@@ -1310,16 +1297,8 @@
# ifdef __bsdi__
setpgid(0, 0);
# endif
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
if (options.use_pam) {
- do_pam_session();
do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
@@ -1347,13 +1326,6 @@
exit(1);
}
endgrent();
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
/*
* PAM credentials may take the form of supplementary groups.
@@ -1361,7 +1333,6 @@
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
--- sshd.c
+++ sshd.c
@@ -1899,7 +1899,21 @@
audit_event(SSH_AUTH_SUCCESS);
#endif
- /*
+#ifdef GSSAPI
+ if (options.gss_authentication) {
+ temporarily_use_uid(authctxt->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+ }
+#endif
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_setcred(1);
+ do_pam_session();
+ }
+#endif
+
+ /*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
*/

View File

@ -1,62 +0,0 @@
--- openssh-4.6p1/misc.c
+++ openssh-4.6p1/misc.c
@@ -186,6 +186,29 @@
return (old);
}
+struct passwd *getpwuid_wh(uid_t uid) {
+ /* Return the password structure by lookup of the username in $ENV{USER},
+ but only when the UID matches a lookup-by-uid so as to not allow using
+ another users' .ssh files in case this function be used in superuser
+ context. */
+
+ const char *user = getenv("USER");
+ struct passwd *pe_nam, *pe_uid;
+
+ if(user == NULL || (pe_nam = getpwnam(user)) == NULL) {
+ return getpwuid(uid);
+ }
+
+ pe_nam = pwcopy(pe_nam);
+ if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) {
+ free(pe_nam);
+ return pe_uid;
+ }
+
+ free(pe_nam); // - need to return a non-pwcopy struct
+ return getpwnam(user);
+}
+
struct passwd *
pwcopy(struct passwd *pw)
{
@@ -524,7 +547,7 @@
user[slash] = '\0';
if ((pw = getpwnam(user)) == NULL)
fatal("tilde_expand_filename: No such user %s", user);
- } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
+ } else if ((pw = getpwuid_wh(uid)) == NULL) /* ~/path */
fatal("tilde_expand_filename: No such uid %d", uid);
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
--- openssh-4.6p1/misc.h
+++ openssh-4.6p1/misc.h
@@ -34,6 +34,7 @@
char *tohex(const void *, size_t);
void sanitise_stdfd(void);
+struct passwd *getpwuid_wh(uid_t);
struct passwd *pwcopy(struct passwd *);
typedef struct arglist arglist;
--- openssh-4.6p1/ssh.c
+++ openssh-4.6p1/ssh.c
@@ -249,7 +249,7 @@
}
#endif
/* Get user data. */
- pw = getpwuid(original_real_uid);
+ pw = getpwuid_wh(original_real_uid);
if (!pw) {
logit("You don't exist, go away!");
exit(255);

View File

@ -15,7 +15,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
License: BSD 3-Clause License: BSD 3-Clause
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Version: 4.7p1 Version: 4.7p1
Release: 3 Release: 5
Requires: openssh = %{version} openssh-askpass = %{version} Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Sat Dec 15 00:10:13 CET 2007 - anicka@suse.cz
- add patch calling pam with root privileges [#334559]
- drop pwname-home patch [#104773]
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Dec 7 22:28:40 CET 2007 - anicka@suse.cz Fri Dec 7 22:28:40 CET 2007 - anicka@suse.cz

View File

@ -29,7 +29,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr
Conflicts: nonfreessh Conflicts: nonfreessh
AutoReqProv: on AutoReqProv: on
Version: 4.7p1 Version: 4.7p1
Release: 3 Release: 5
%define xversion 1.2.4.1 %define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/ Url: http://www.openssh.com/
@ -57,12 +57,12 @@ Patch28: %{name}-%{version}-blocksigalrm.diff
Patch35: %{name}-%{version}-send_locale.diff Patch35: %{name}-%{version}-send_locale.diff
Patch36: %{name}-%{version}-xauthlocalhostname.diff Patch36: %{name}-%{version}-xauthlocalhostname.diff
Patch37: %{name}-%{version}-tmpdir.diff Patch37: %{name}-%{version}-tmpdir.diff
Patch38: %{name}-%{version}-pwname-home.diff
Patch40: %{name}-%{version}-xauth.diff Patch40: %{name}-%{version}-xauth.diff
Patch41: %{name}-%{version}-gcc-fix.patch Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-pam_session_close.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass %package askpass
@ -148,12 +148,12 @@ Authors:
%patch35 %patch35
%patch36 %patch36
%patch37 %patch37
%patch38 -p1
%patch40 %patch40
%patch41 %patch41
%patch42 %patch42
%patch43 %patch43
%patch44 -p1 %patch44 -p1
%patch45
cp -v %{SOURCE4} . cp -v %{SOURCE4} .
cp -v %{SOURCE6} . cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion} cd ../x11-ssh-askpass-%{xversion}
@ -296,6 +296,9 @@ rm -rf $RPM_BUILD_ROOT
%config %_appdefdir/SshAskpass %config %_appdefdir/SshAskpass
%changelog %changelog
* Sat Dec 15 2007 - anicka@suse.cz
- add patch calling pam with root privileges [#334559]
- drop pwname-home patch [#104773]
* Fri Dec 07 2007 - anicka@suse.cz * Fri Dec 07 2007 - anicka@suse.cz
- fix race condition in xauth patch - fix race condition in xauth patch
* Wed Dec 05 2007 - anicka@suse.cz * Wed Dec 05 2007 - anicka@suse.cz