diff options
author | jperkin <jperkin@pkgsrc.org> | 2015-08-14 08:57:00 +0000 |
---|---|---|
committer | jperkin <jperkin@pkgsrc.org> | 2015-08-14 08:57:00 +0000 |
commit | ece03cdd151d4276c64277cff8515964795f993a (patch) | |
tree | c08d8e3781662e13dcbc9aaf50f28290fc73c4cf | |
parent | 655d8b2205db985fc4e54197e1ce5632849bc5ea (diff) | |
download | pkgsrc-ece03cdd151d4276c64277cff8515964795f993a.tar.gz |
Fix a bug introduced 9 years ago in patch-sshd.c which has meant that
privilege separation has been disabled all that time. The logic was changed
such that it was only enabled on Interix, instead of only being disabled on
Interix as originally intended.
While here, pull in patches from MacPorts to enable privsep on Darwin.
Bump PKGREVISION.
-rw-r--r-- | security/openssh/Makefile | 26 | ||||
-rw-r--r-- | security/openssh/PLIST | 3 | ||||
-rw-r--r-- | security/openssh/distinfo | 15 | ||||
-rw-r--r-- | security/openssh/files/org.openssh.sshd.sb.in | 23 | ||||
-rw-r--r-- | security/openssh/patches/patch-auth2.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-loginrec.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-openbsd-compat_bsd-openpty.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-sandbox-darwin.c | 23 | ||||
-rw-r--r-- | security/openssh/patches/patch-sftp-common.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-sshd.c | 29 | ||||
-rw-r--r-- | security/openssh/patches/patch-uidswap.c | 4 |
11 files changed, 106 insertions, 33 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index c2e49ec1411..8f623ef7f06 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.234 2015/07/30 03:20:36 taca Exp $ +# $NetBSD: Makefile,v 1.235 2015/08/14 08:57:00 jperkin Exp $ DISTNAME= openssh-6.9p1 PKGNAME= openssh-6.9.1 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} @@ -140,7 +140,7 @@ CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth CONFS= ssh_config sshd_config moduli -PLIST_VARS+= prng +PLIST_VARS+= darwin prng .if exists(/dev/urandom) . if ${OPSYS} == "NetBSD" @@ -153,7 +153,14 @@ PLIST.prng= yes .endif EGDIR= ${PREFIX}/share/examples/${PKGBASE} -CONF_FILES= # empty + +# enable privsep patches +.if ${OPSYS} == "Darwin" +CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb +CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__ +PLIST.darwin= yes +.endif + .for f in ${CONFS} CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} .endfor @@ -166,9 +173,9 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q} SUBST_CLASSES+= patch SUBST_STAGE.patch= pre-configure -SUBST_FILES.patch= session.c +SUBST_FILES.patch= session.c sandbox-darwin.c SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' -SUBST_MESSAGE.patch= More patch a file. +SUBST_VARS.patch= PKG_SYSCONFDIR .include "../../devel/zlib/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" @@ -189,6 +196,9 @@ post-configure: ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ fi + ${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \ + < ${FILESDIR}/org.openssh.sshd.sb.in \ + > ${WRKDIR}/org.openssh.sshd.sb post-install: ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} @@ -199,5 +209,9 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \ ${DESTDIR}${EGDIR}/sshd.pam .endif +.if ${OPSYS} == "Darwin" + ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \ + ${DESTDIR}${EGDIR}/org.openssh.sshd.sb +.endif .include "../../mk/bsd.pkg.mk" diff --git a/security/openssh/PLIST b/security/openssh/PLIST index 6aa5f151cb7..ebe150ae24d 100644 --- a/security/openssh/PLIST +++ b/security/openssh/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.16 2014/03/29 09:38:11 taca Exp $ +@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $ bin/scp bin/sftp bin/slogin @@ -28,6 +28,7 @@ man/man8/ssh-pkcs11-helper.8 man/man8/sshd.8 sbin/sshd share/examples/openssh/moduli +${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb share/examples/openssh/ssh_config ${PLIST.prng}share/examples/openssh/ssh_prng_cmds ${PLIST.pam}share/examples/openssh/sshd.pam diff --git a/security/openssh/distinfo b/security/openssh/distinfo index e0a13b26197..3a7fe49d531 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.94 2015/07/30 03:20:36 taca Exp $ +$NetBSD: distinfo,v 1.95 2015/08/14 08:57:00 jperkin Exp $ SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788 @@ -12,23 +12,24 @@ SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987 SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450 SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7 SHA1 (patch-auth2-chall.c) = 9edd679fc0a1d128786cea8939e804adb400c3c9 -SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405 +SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284 SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219 SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02 SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d -SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce -SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695 +SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373 +SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960 SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9 SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5 SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6 +SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0 SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e -SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd +SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545 SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15 -SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b +SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4 SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a -SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd +SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2 diff --git a/security/openssh/files/org.openssh.sshd.sb.in b/security/openssh/files/org.openssh.sshd.sb.in new file mode 100644 index 00000000000..e060377c928 --- /dev/null +++ b/security/openssh/files/org.openssh.sshd.sb.in @@ -0,0 +1,23 @@ +;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $ +;; +;; Copyright (c) 2008 Apple Inc. All Rights reserved. +;; +;; sshd - profile for privilege separated children +;; +;; WARNING: The sandbox rules in this file currently constitute +;; Apple System Private Interface and are subject to change at any time and +;; without notice. +;; + +(version 1) + +(deny default) + +(allow file-chroot) +(allow file-read-metadata (literal "@VARBASE@")) + +(allow sysctl-read) +(allow mach-per-user-lookup) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.logger")) diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c index f54e65d7f2f..e43029ad95e 100644 --- a/security/openssh/patches/patch-auth2.c +++ b/security/openssh/patches/patch-auth2.c @@ -1,10 +1,10 @@ -$NetBSD: patch-auth2.c,v 1.4 2015/07/09 16:14:23 taca Exp $ +$NetBSD: patch-auth2.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $ Replace uid 0 with ROOTUID macro --- auth2.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ auth2.c -@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int +@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ diff --git a/security/openssh/patches/patch-loginrec.c b/security/openssh/patches/patch-loginrec.c index 11bf035bd68..7394d49310d 100644 --- a/security/openssh/patches/patch-loginrec.c +++ b/security/openssh/patches/patch-loginrec.c @@ -1,8 +1,8 @@ -$NetBSD: patch-loginrec.c,v 1.3 2015/03/20 22:41:19 rodent Exp $ +$NetBSD: patch-loginrec.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $ Interix support and related fixes. Fix build on FreeBSD. ---- loginrec.c.orig 2014-01-17 01:23:24.000000000 +0000 +--- loginrec.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ loginrec.c @@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con int diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c index 2d706e37602..e7438d52856 100644 --- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c +++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c @@ -1,8 +1,8 @@ -$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1 2013/05/01 19:58:26 imil Exp $ +$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.2 2015/08/14 08:57:00 jperkin Exp $ Interix support ---- openbsd-compat/bsd-openpty.c.orig 2006-08-24 09:52:30.000000000 +0000 +--- openbsd-compat/bsd-openpty.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ openbsd-compat/bsd-openpty.c @@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char return (-1); diff --git a/security/openssh/patches/patch-sandbox-darwin.c b/security/openssh/patches/patch-sandbox-darwin.c new file mode 100644 index 00000000000..c19da070152 --- /dev/null +++ b/security/openssh/patches/patch-sandbox-darwin.c @@ -0,0 +1,23 @@ +$NetBSD: patch-sandbox-darwin.c,v 1.1 2015/08/14 08:57:00 jperkin Exp $ + +Support sandbox on newer OSX, from MacPorts. + +--- sandbox-darwin.c.orig 2015-07-01 02:35:31.000000000 +0000 ++++ sandbox-darwin.c +@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++#ifndef SANDBOX_NAMED_EXTERNAL ++#define SANDBOX_NAMED_EXTERNAL (0x3) ++#endif ++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb", ++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1) ++#else + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) ++#endif + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c index 80d7f87e721..c12b4fcf627 100644 --- a/security/openssh/patches/patch-sftp-common.c +++ b/security/openssh/patches/patch-sftp-common.c @@ -1,8 +1,8 @@ -$NetBSD: patch-sftp-common.c,v 1.2 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-sftp-common.c,v 1.3 2015/08/14 08:57:00 jperkin Exp $ Include <unistd.h> for strmode(3). ---- sftp-common.c.orig 2014-01-09 23:40:45.000000000 +0000 +--- sftp-common.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ sftp-common.c @@ -37,6 +37,9 @@ #include <string.h> diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index 872b92dc08e..24a67203e2f 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,4 +1,4 @@ -$NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ +$NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $ * Interix support * Revive tcp_wrappers support. @@ -24,9 +24,9 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ /* variables used for privilege separation */ +#ifdef HAVE_INTERIX - int use_privsep = -1; -+#else +int use_privsep = 0; ++#else + int use_privsep = -1; +#endif struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; @@ -47,16 +47,27 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif } -@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt) set_log_handler(mm_log_handler, pmonitor); /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++ /* We need to do this before we chroot() so we can read sshd.sb */ ++ if (box != NULL) ++ ssh_sandbox_child(box); ++#endif + if (getuid() == ROOTUID || geteuid() == ROOTUID) privsep_preauth_child(); setproctitle("%s", "[net]"); ++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ if (box != NULL) -@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt) + ssh_sandbox_child(box); ++#endif + + return 0; + } +@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -65,7 +76,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1485,8 +1501,10 @@ main(int ac, char **av) +@@ -1485,8 +1508,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -77,7 +88,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1915,7 +1933,7 @@ main(int ac, char **av) +@@ -1915,7 +1940,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -86,7 +97,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1938,8 +1956,10 @@ main(int ac, char **av) +@@ -1938,8 +1963,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -97,7 +108,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -2135,6 +2155,25 @@ main(int ac, char **av) +@@ -2135,6 +2162,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c index d28e7300566..bb46fb9e080 100644 --- a/security/openssh/patches/patch-uidswap.c +++ b/security/openssh/patches/patch-uidswap.c @@ -1,8 +1,8 @@ -$NetBSD: patch-uidswap.c,v 1.3 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-uidswap.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $ Interix support ---- uidswap.c.orig 2014-01-18 09:43:50.000000000 +0000 +--- uidswap.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ uidswap.c @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, |