openssh/openssh-7.2p2-remove_xauth_cookies_on_exit.patch

# HG changeset patch
# Parent  ff8f0a192e120430204441cdcd18ff130f85a61e
# --used to be called '-xauth'
try to remove xauth cookies on logout

bnc#98815

diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
--- a/openssh-7.2p2/session.c
+++ b/openssh-7.2p2/session.c
@@ -2540,16 +2540,44 @@ session_close(Session *s)
 	u_int i;
 
 	verbose("Close session: user %s from %.200s port %d id %d",
 	    s->pw->pw_name,
 	    get_remote_ipaddr(),
 	    get_remote_port(),
 	    s->self);
 
+	if ((s->display != NULL) && (s->auth_proto != NULL) &&
+	    (s->auth_data != NULL) && (options.xauth_location != NULL)) {
+		pid_t pid;
+		FILE *f;
+		char cmd[1024];
+		struct passwd * pw = s->pw;
+
+		if (!(pid = fork())) {
+			permanently_set_uid(pw);
+
+			/* Remove authority data from .Xauthority if appropriate. */
+			debug("Running %.500s remove %.100s\n",
+			    options.xauth_location, s->auth_display);
+
+			snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
+                     	    s->pw->pw_dir, options.xauth_location);
+            		f = popen(cmd, "w");
+			if (f) {
+				fprintf(f, "remove %s\n", s->auth_display);
+				pclose(f);
+			} else
+				error("Could not run %s\n", cmd);
+			exit(0);
+		} else if (pid > 0) {
+			waitpid(pid, NULL, 0);
+		}
+	}
+
 	if (s->ttyfd != -1)
 		session_pty_cleanup(s);
 	free(s->term);
 	free(s->display);
 	free(s->x11_chanids);
 	free(s->auth_display);
 	free(s->auth_data);
 	free(s->auth_proto);
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`# HG changeset patch`
Accepting request 432093 from home:pcerny:factory next round of patches - allow X forwarding over IPv4 when IPv6 sockets is not available [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] - do not write PID file when not daemonizing [openssh-7.2p2-no_fork-no_pid_file.patch] - use correct options when invoking login [openssh-7.2p2-login_options.patch] - helper application for retrieving users' public keys from an LDAP server [openssh-7.2p2-ldap.patch] - allow forcing permissions over sftp [openssh-7.2p2-sftp_force_permissions.patch] - do not perform run-time checks for OpenSSL API/ABI change [openssh-7.2p2-disable-openssl-abi-check.patch] - suggest commands for cleaning known hosts file [openssh-7.2p2-host_ident.patch] - sftp home chroot patch [openssh-7.2p2-sftp_homechroot.patch] - ssh sessions auditing [openssh-7.2p2-audit.patch] - enable seccomp sandbox on additional architectures [openssh-7.2p2-additional_seccomp_archs.patch] OBS-URL: https://build.opensuse.org/request/show/432093 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112 2016-09-30 22:34:19 +02:00			`# Parent ff8f0a192e120430204441cdcd18ff130f85a61e`
Accepting request 407066 from home:pcerny:factory - enable support for SSHv1 protocol and discourage its usage (bsc#983307) - enable DSA by default for backward compatibility and discourage its usage (bsc#983784) [openssh-7.2p2-allow_DSS_by_default.patch] - upgrade to 7.2p2 upstream package without any SUSE patches Distilled upstream log: - OpenSSH 6.7 Potentially-incompatible changes: * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features: * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. OBS-URL: https://build.opensuse.org/request/show/407066 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107 2016-07-07 09:07:23 +02:00			`# --used to be called '-xauth'`
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`try to remove xauth cookies on logout`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`bnc#98815`

			`diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c`
			`--- a/openssh-7.2p2/session.c`
			`+++ b/openssh-7.2p2/session.c`
			`@@ -2540,16 +2540,44 @@ session_close(Session *s)`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`u_int i;`

Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`verbose("Close session: user %s from %.200s port %d id %d",`
			`s->pw->pw_name,`
			`get_remote_ipaddr(),`
			`get_remote_port(),`
			`s->self);`

			`+ if ((s->display != NULL) && (s->auth_proto != NULL) &&`
			`+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=13 2007-12-11 00:29:55 +01:00			`+ pid_t pid;`
			`+ FILE *f;`
			`+ char cmd[1024];`
			`+ struct passwd * pw = s->pw;`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`+`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=13 2007-12-11 00:29:55 +01:00			`+ if (!(pid = fork())) {`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`+ permanently_set_uid(pw);`
			`+`
			`+ /* Remove authority data from .Xauthority if appropriate. */`
			`+ debug("Running %.500s remove %.100s\n",`
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`+ options.xauth_location, s->auth_display);`
Accepting request 60057 from home:leonardocf:branches:network reviewed ok. OBS-URL: https://build.opensuse.org/request/show/60057 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=7 2011-02-04 14:58:22 +01:00			`+`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",`
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`+ s->pw->pw_dir, options.xauth_location);`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`+ f = popen(cmd, "w");`
			`+ if (f) {`
			`+ fprintf(f, "remove %s\n", s->auth_display);`
			`+ pclose(f);`
			`+ } else`
			`+ error("Could not run %s\n", cmd);`
			`+ exit(0);`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=13 2007-12-11 00:29:55 +01:00			`+ } else if (pid > 0) {`
Accepting request 398802 from home:pcerny:factory - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - enable trusted X11 forwarding by default [-X11_trusted_forwarding] - set UID for lastlog properly [-lastlog] - enable use of PAM by default [-enable_PAM_by_default] - copy command line arguments properly [-saveargv-fix] - do not use pthreads in PAM code [-dont_use_pthreads_in_PAM] - fix paths in documentation [-eal3] - prevent race consitions triggered by SIGALRM [-blocksigalrm] - do send and accept locale environment variables by default [-send_locale] - handle hostnames changes during X forwarding [-hostname_changes_when_forwarding_X] - try to remove xauth cookies on exit [-remove_xauth_cookies_on_exit] - properly format pts names for ?tmp? log files [-pts_names_formatting] - check locked accounts when using PAM [-pam_check_locks] - chenge default PermitRootLogin to 'yes' to prevent unwanted surprises on updates from older versions. See README.SUSE for details [-allow_root_password_login] - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) [-disable_short_DH_parameters] - Add getuid() and stat() syscalls to the seccomp filter OBS-URL: https://build.opensuse.org/request/show/398802 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103 2016-05-30 03:36:18 +02:00			`+ waitpid(pid, NULL, 0);`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 17:26:05 +01:00			`+ }`
			`+ }`
			`+`
			`if (s->ttyfd != -1)`
			`session_pty_cleanup(s);`
Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58 2014-01-31 13:18:41 +01:00			`free(s->term);`
			`free(s->display);`
			`free(s->x11_chanids);`
			`free(s->auth_display);`
			`free(s->auth_data);`
			`free(s->auth_proto);`