diff options
| author | tv <tv> | 2005-03-07 23:29:49 +0000 |
|---|---|---|
| committer | tv <tv> | 2005-03-07 23:29:49 +0000 |
| commit | d2b376ced95c3949b2726778f3ec61a4165b972e (patch) | |
| tree | a03e313a0a2d0cedf2ecfe5ea8233f81f07709f1 /security/openssh | |
| parent | 043b85f8c53272ddd5eac97a1f7922c528e95641 (diff) | |
| download | pkgsrc-d2b376ced95c3949b2726778f3ec61a4165b972e.tar.gz | |
nb5: Rework Interix support, based on work done by Interop Systems
*before* a BSD-with-advertising license was added to their diffs, and other
work done personally by me.
sshd now works. Most permissions checks work properly. Privsep is off by
default, and the sshd user is not created, on Interix until some problems
with privsep are fixed (perhaps by abstracting the auth functionality out
to openpam).
Diffstat (limited to 'security/openssh')
24 files changed, 613 insertions, 337 deletions
diff --git a/security/openssh/MESSAGE.Interix b/security/openssh/MESSAGE.Interix new file mode 100644 index 00000000000..ee57d65d24d --- /dev/null +++ b/security/openssh/MESSAGE.Interix @@ -0,0 +1,20 @@ +=========================================================================== +$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $ + +OpenSSH on Interix has some important caveats: + +* Hostname resolution uses the BIND resolver library rather than Windows + native lookup services. This requires that /etc/resolv.conf be set up + properly with a "nameserver" line; see resolv.conf(5). In most + installations, this was generated automatically when Services for UNIX + was installed (based on the name server in use at that time). + +* Currently, UsePrivilegeSeparation does not work properly, so it defaults + to "no" on Interix. + +* Network drives and encrypted local files may not be accessible after + logging in through sshd thanks to the way the Windows security API works. + A workaround is to "exec su USERNAME" after logging in, which will use + the password to create a proper Windows access credential key. + +=========================================================================== diff --git a/security/openssh/Makefile b/security/openssh/Makefile index c18345ae0ac..5bdd2f705ab 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.146 2004/12/28 02:47:49 reed Exp $ +# $NetBSD: Makefile,v 1.147 2005/03/07 23:29:49 tv Exp $ DISTNAME= openssh-3.9p1 PKGNAME= openssh-3.9.1 -PKGREVISION= 4 +PKGREVISION= 5 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ @@ -34,11 +34,26 @@ BUILD_DEFS+= USE_INET6 INSTALL_TARGET= install-nokeys PLIST_SRC= # empty -MESSAGE_SRC= ${.CURDIR}/MESSAGE +.if ${OPSYS} == "Interix" + +# normal MESSAGE does not apply, as privsep is not in use +MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix +BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind /usr/local/lib/bind +CONFIGURE_ENV+= ac_cv_func_openpty=no +CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes +CPPFLAGS+= -I/usr/local/include/bind +LDFLAGS+= -L/usr/local/lib/bind +LIBS+= -lbind -ldb -lcrypt + +.else # not Interix + +MESSAGE_SRC= ${.CURDIR}/MESSAGE PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}:${OPENSSH_UID}:sshd\\ privsep:${OPENSSH_CHROOT}:${NOLOGIN} PKG_GROUPS= ${OPENSSH_GROUP}:${OPENSSH_GID} +.endif + SSH_PID_DIR= ${VARBASE}/run # default directory for PID files PKG_SYSCONFSUBDIR= ssh @@ -55,8 +70,11 @@ CONFIGURE_ARGS+= --mandir=${PREFIX}/${MANDIR} CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR} CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE} CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers} + +.if ${OPSYS} != "Interix" CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT} CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER} +.endif # the openssh configure script finds and uses ${LD} if defined and # defaults to ${CC} if not. we override LD here, since running the @@ -64,10 +82,6 @@ CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER} # CONFIGURE_ENV+= LD=${CC:Q} -.if ${OPSYS} == "Interix" -CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes -.endif - # Enable S/Key support on NetBSD, Darwin, and Solaris. .if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS") . include "../../security/skey/buildlink3.mk" diff --git a/security/openssh/distinfo b/security/openssh/distinfo index e3c62982bba..caef957a381 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,25 +1,29 @@ -$NetBSD: distinfo,v 1.38 2005/02/24 13:10:08 agc Exp $ +$NetBSD: distinfo,v 1.39 2005/03/07 23:29:49 tv Exp $ SHA1 (openssh-3.9p1.tar.gz) = 80b19d83a9d4717f5c38b2d950501e1471f60afc RMD160 (openssh-3.9p1.tar.gz) = e4abf280a18e3ae046d0dee19dab919bba8e5568 Size (openssh-3.9p1.tar.gz) = 854027 bytes SHA1 (openssh-3.9p1-hpn.diff) = 1821c590b9b5effa3750ebf0166fe3f22d00faad Size (openssh-3.9p1-hpn.diff) = 8387 bytes -SHA1 (patch-aa) = 5d0b1cf5cf92e0d314e6458b225074a73f35f857 -SHA1 (patch-ab) = 662440f96d38e43b0c8de7bef260f82d8b7ab737 -SHA1 (patch-ac) = 3ad72f42b066ef1f48e276bccd438da2d6fde980 -SHA1 (patch-ad) = 6a0c4edd2217f22f7c9622fb38124287e93c5fc8 -SHA1 (patch-ae) = fece020b1c2432f4ac5b62104be808aa3f70ea22 -SHA1 (patch-af) = 444fadaafdb45adc1008cbf106cd28c075700616 -SHA1 (patch-ag) = d0c93842739da39b588acdb0449a2562e05497d3 +SHA1 (patch-aa) = 6bceb5b0480727c6c4e0cf662fa85cffebf91bdb +SHA1 (patch-ab) = f43a6b627a4f2b8ecd74b016ce29b5f8091d877e +SHA1 (patch-ac) = d851513c2a115358671bf9efafab1e3ee9166088 +SHA1 (patch-ad) = 9f862bc0bdcb7285ffaf2b7f2685e363ff8daba3 +SHA1 (patch-ae) = d7bcee7a84457c96951c3da82aa689fa818a07b6 +SHA1 (patch-af) = ec6b439a3a4a0d2e5b13685c4d94deb26bbece45 +SHA1 (patch-ag) = dbdbefa00b2ec7e6ee3cf4441d1fc817ecefc742 SHA1 (patch-ah) = 85a8f0fa5ddf13f8342faaff6bf81fcd3ad6648a -SHA1 (patch-ai) = da31e53b3ccbef24abc6418ee466f1e43fdd7447 -SHA1 (patch-aj) = ea07f23e66863e78bbe2cfced747795cb6c2f7ba -SHA1 (patch-ak) = fe65dbf8771f6515d32ed994723b979f8e3211d6 -SHA1 (patch-al) = 5a0aed20f0c75b5bbcf4abce1e50d1ced3990ca7 -SHA1 (patch-am) = a88eb34b83789453b8e212b14f33d8e98d153667 -SHA1 (patch-an) = 4694cd36c85d76fe42411600a482dcfa1421f704 -SHA1 (patch-ao) = 00750c5f80bced34c54558cbd5ad3b96384e0d00 -SHA1 (patch-ap) = ba0a85060632dfa3939b7316f0acecfa3100082d -SHA1 (patch-aq) = ee466164b653f521445884e119627f4927fabbe0 -SHA1 (patch-ar) = 1c551d1459cd690a2d5c5383a2b1726707df9134 +SHA1 (patch-ai) = ccc43f0523bf2b0e28d7e169eda59b1ff1a2215b +SHA1 (patch-aj) = 44f2b11949a4dea6a8760b8397db5360b64bf01f +SHA1 (patch-ak) = 6140fe665aa84ab8127e0d9ede44945f196392e4 +SHA1 (patch-al) = 3168440d9e584a504b21802edb4dbeb58e87e8d2 +SHA1 (patch-am) = 50e46970b8eff07b931a34313d863e13af838440 +SHA1 (patch-an) = 1ffc3704bf925f87fb787c93f6f10d1b0c06bdd0 +SHA1 (patch-ao) = 0677e5f8a1a9a2f6b600789ff3fea627af472bc0 +SHA1 (patch-ap) = b006a1b49f19ab322fc179a1f2e4238807a64b87 +SHA1 (patch-aq) = 3786a41a974d6583f379350068a762a725b8334d +SHA1 (patch-ar) = 90f2534c0fb01f7909ee88c7849092a9e7882a7d +SHA1 (patch-as) = ecb23bc4c07d8ac7599b6f6576ad39bb4dcedbab +SHA1 (patch-at) = c6b85eb24279f18a430b86aeda3f8d2fa1c8d018 +SHA1 (patch-au) = 2a8926edfb65a8ecf7786411cee3d1723247764b +SHA1 (patch-av) = ef8fca98fad60cad4ba4197e8579544f37a4fcee diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa index 049f4af140f..4a0e2273257 100644 --- a/security/openssh/patches/patch-aa +++ b/security/openssh/patches/patch-aa @@ -1,16 +1,44 @@ -$NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ +$NetBSD: patch-aa,v 1.37 2005/03/07 23:29:49 tv Exp $ ---- configure.orig 2004-08-17 14:54:53.000000000 +0200 +--- configure.orig 2004-08-17 08:54:53.000000000 -0400 +++ configure -@@ -6101,8 +6101,18 @@ _ACEOF +@@ -6101,8 +6101,46 @@ _ACEOF _ACEOF ;; + +*-*-interix3) -+ cat >>confdefs.h <<\EOF ++ cat >>confdefs.h <<\_ACEOF ++#define HAVE_INTERIX 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define DISABLE_FD_PASSING 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define DISABLE_SHADOW 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define IP_TOS_IS_BROKEN 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF +#define MISSING_HOWMANY 1 -+EOF ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define NO_IPPORT_RESERVED_CONCEPT 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define SETGROUPS_NOOP 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define USE_PIPES 1 ++_ACEOF + + ;; esac @@ -21,7 +49,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ # Allow user to specify flags # Check whether --with-cflags or --without-cflags was given. -@@ -23790,12 +23800,19 @@ fi +@@ -23790,12 +23828,19 @@ fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -44,7 +72,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ cat >>confdefs.h <<_ACEOF #define CONF_UTMPX_FILE "$conf_utmpx_location" _ACEOF -@@ -23864,12 +23881,20 @@ fi +@@ -23864,12 +23909,20 @@ fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -67,7 +95,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ cat >>confdefs.h <<_ACEOF #define CONF_WTMPX_FILE "$conf_wtmpx_location" _ACEOF -@@ -25091,7 +25116,7 @@ echo "OpenSSH has been configured with t +@@ -25091,7 +25144,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab index 804fdb5e562..6445d9f482a 100644 --- a/security/openssh/patches/patch-ab +++ b/security/openssh/patches/patch-ab @@ -1,14 +1,21 @@ -$NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ab,v 1.20 2005/03/07 23:29:49 tv Exp $ ---- configure.ac.orig 2004-08-16 15:12:06.000000000 +0200 +--- configure.ac.orig 2004-08-16 09:12:06.000000000 -0400 +++ configure.ac -@@ -469,8 +469,15 @@ mips-sony-bsd|mips-sony-newsos4) +@@ -469,8 +469,22 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(MISSING_HOWMANY) AC_DEFINE(MISSING_FD_MASK) ;; + -+*-*-interix3) ++*-*-interix3*) ++ AC_DEFINE(HAVE_INTERIX) ++ AC_DEFINE(DISABLE_FD_PASSING) ++ AC_DEFINE(DISABLE_SHADOW) ++ AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(MISSING_HOWMANY) ++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) ++ AC_DEFINE(SETGROUPS_NOOP) ++ AC_DEFINE(USE_PIPES) + ;; esac @@ -18,7 +25,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ # Allow user to specify flags AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], -@@ -2885,9 +2892,17 @@ AC_TRY_COMPILE([ +@@ -2885,9 +2899,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -38,7 +45,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") fi -@@ -2910,9 +2925,17 @@ AC_TRY_COMPILE([ +@@ -2910,9 +2932,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -58,7 +65,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") fi -@@ -2953,7 +2976,7 @@ echo "OpenSSH has been configured with t +@@ -2953,7 +2983,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac index 6c5f5618715..da61f89b83d 100644 --- a/security/openssh/patches/patch-ac +++ b/security/openssh/patches/patch-ac @@ -1,8 +1,35 @@ -$NetBSD: patch-ac,v 1.11 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ac,v 1.12 2005/03/07 23:29:49 tv Exp $ ---- defines.h.orig 2004-06-22 05:27:16.000000000 +0200 +--- defines.h.orig 2004-06-21 23:27:16.000000000 -0400 +++ defines.h -@@ -591,6 +591,24 @@ struct winsize { +@@ -30,6 +30,15 @@ + + /* Constants */ + ++#ifdef HAVE_INTERIX ++/* Interix has a special concept of "administrator". */ ++# define ROOTUID 197108 ++# define ROOTGID 131616 ++#else ++# define ROOTUID 0 ++# define ROOTGID 0 ++#endif ++ + #ifndef SHUT_RDWR + enum + { +@@ -424,8 +433,8 @@ struct winsize { + # define __attribute__(x) + #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +-#ifndef __dead +-# define __dead __attribute__((noreturn)) ++#ifndef __noreturn ++# define __noreturn __attribute__((noreturn)) + #endif + + /* *-*-nto-qnx doesn't define this macro in the system headers */ +@@ -591,6 +600,24 @@ struct winsize { # endif # endif #endif diff --git a/security/openssh/patches/patch-ad b/security/openssh/patches/patch-ad index cf79d713caa..8b84bf78efa 100644 --- a/security/openssh/patches/patch-ad +++ b/security/openssh/patches/patch-ad @@ -1,7 +1,18 @@ -$NetBSD: patch-ad,v 1.8 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ad,v 1.9 2005/03/07 23:29:49 tv Exp $ ---- loginrec.c.orig 2004-08-15 11:12:52.000000000 +0200 +--- loginrec.c.orig 2004-08-15 05:12:52.000000000 -0400 +++ loginrec.c +@@ -406,8 +406,8 @@ login_set_addr(struct logininfo *li, con + int + login_write (struct logininfo *li) + { +-#ifndef HAVE_CYGWIN +- if ((int)geteuid() != 0) { ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) ++ if ((int)geteuid() != ROOTUID) { + logit("Attempt to write login records by non-root user (aborting)"); + return 1; + } @@ -415,7 +415,7 @@ login_write (struct logininfo *li) /* set the timestamp */ diff --git a/security/openssh/patches/patch-ae b/security/openssh/patches/patch-ae index b21e674e7f9..73f0dd1010e 100644 --- a/security/openssh/patches/patch-ae +++ b/security/openssh/patches/patch-ae @@ -1,21 +1,15 @@ -$NetBSD: patch-ae,v 1.8 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-ae,v 1.9 2005/03/07 23:29:49 tv Exp $ ---- openbsd-compat/getrrsetbyname.h.orig Mon Jan 26 23:40:35 2004 -+++ openbsd-compat/getrrsetbyname.h -@@ -50,7 +50,7 @@ - - #include "includes.h" - --#ifndef HAVE_GETRRSETBYNAME -+#if !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) - - #include <sys/types.h> - #include <netinet/in.h> -@@ -105,6 +105,6 @@ struct rrsetinfo { - int getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **); - void freerrset(struct rrsetinfo *); - --#endif /* !defined(HAVE_GETRRSETBYNAME) */ -+#endif /* !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) */ - - #endif /* _GETRRSETBYNAME_H */ +--- includes.h.orig 2004-08-14 10:01:48.000000000 -0400 ++++ includes.h +@@ -163,6 +163,10 @@ static /**/const char *const rcsid[] = { + #ifdef HAVE_READPASSPHRASE_H + # include <readpassphrase.h> + #endif ++#ifdef HAVE_INTERIX ++# include <interix/env.h> ++# include <interix/security.h> ++#endif + + #ifdef HAVE_IA_H + # include <ia.h> diff --git a/security/openssh/patches/patch-af b/security/openssh/patches/patch-af index 40ea1821521..9bac212ffe2 100644 --- a/security/openssh/patches/patch-af +++ b/security/openssh/patches/patch-af @@ -1,17 +1,26 @@ -$NetBSD: patch-af,v 1.6 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-af,v 1.7 2005/03/07 23:29:50 tv Exp $ ---- dns.c.orig Fri Nov 21 06:48:55 2003 -+++ dns.c -@@ -28,6 +28,7 @@ +--- auth-passwd.c.orig 2004-06-21 23:37:11.000000000 -0400 ++++ auth-passwd.c +@@ -69,7 +69,7 @@ auth_password(Authctxt *authctxt, const + #endif - #include "includes.h" - -+#ifndef __INTERIX - #include <openssl/bn.h> - #ifdef LWRES - #include <lwres/netdb.h> -@@ -273,3 +274,4 @@ export_dns_rr(const char *hostname, cons - - return success; + #ifndef HAVE_CYGWIN +- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ++ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) + ok = 0; + #endif + if (*password == '\0' && options.permit_empty_passwd == 0) +@@ -106,8 +106,11 @@ auth_password(Authctxt *authctxt, const + } + } + #endif +- ++#ifdef HAVE_INTERIX ++ return (!setuser(pw->pw_name, password, SU_CHECK) && ok); ++#else + return (sys_auth_passwd(authctxt, password) && ok); ++#endif } -+#endif /* __INTERIX */ + + #ifdef BSD_AUTH diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag index 0a09db12b05..3f9612122ad 100644 --- a/security/openssh/patches/patch-ag +++ b/security/openssh/patches/patch-ag @@ -1,14 +1,14 @@ -$NetBSD: patch-ag,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ag,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- readconf.c.orig 2004-07-17 08:12:08.000000000 +0200 -+++ readconf.c -@@ -187,7 +187,9 @@ static struct { - #endif - { "clearallforwardings", oClearAllForwardings }, - { "enablesshkeysign", oEnableSSHKeysign }, -+#ifndef __INTERIX - { "verifyhostkeydns", oVerifyHostKeyDNS }, -+#endif /* __INTERIX */ - { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, - { "rekeylimit", oRekeyLimit }, - { "connecttimeout", oConnectTimeout }, +--- config.h.in.orig 2004-08-17 08:54:51.000000000 -0400 ++++ config.h.in +@@ -116,6 +116,9 @@ + /* Define if you are on Cygwin */ + #undef HAVE_CYGWIN + ++/* Define if you are on Interix */ ++#undef HAVE_INTERIX ++ + /* Define if you have a broken realpath. */ + #undef BROKEN_REALPATH + diff --git a/security/openssh/patches/patch-ai b/security/openssh/patches/patch-ai index 0134551e3d1..cf833b8272d 100644 --- a/security/openssh/patches/patch-ai +++ b/security/openssh/patches/patch-ai @@ -1,19 +1,13 @@ -$NetBSD: patch-ai,v 1.6 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-ai,v 1.7 2005/03/07 23:29:50 tv Exp $ ---- dns.h.orig Mon Nov 17 04:19:29 2003 -+++ dns.h -@@ -31,6 +31,7 @@ - #ifndef DNS_H - #define DNS_H +--- openbsd-compat/bsd-misc.c.orig 2004-08-15 04:41:00.000000000 -0400 ++++ openbsd-compat/bsd-misc.c +@@ -122,7 +122,7 @@ int truncate(const char *path, off_t len + } + #endif /* HAVE_TRUNCATE */ -+#ifndef __INTERIX - enum sshfp_types { - SSHFP_KEY_RESERVED, - SSHFP_KEY_RSA, -@@ -52,5 +53,6 @@ enum sshfp_hashes { - - int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); - int export_dns_rr(const char *, const Key *, FILE *, int); -+#endif /* __INTERIX */ - - #endif /* DNS_H */ +-#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) ++#if defined(SETGROUPS_NOOP) + /* + * Cygwin setgroups should be a noop. + */ diff --git a/security/openssh/patches/patch-aj b/security/openssh/patches/patch-aj index 03640845bd7..a76b5e4a3bc 100644 --- a/security/openssh/patches/patch-aj +++ b/security/openssh/patches/patch-aj @@ -1,42 +1,31 @@ -$NetBSD: patch-aj,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-aj,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- ssh-keygen.c.orig 2004-07-17 08:12:08.000000000 +0200 -+++ ssh-keygen.c -@@ -622,6 +622,7 @@ do_change_passphrase(struct passwd *pw) - exit(0); - } +--- auth-rhosts.c.orig 2003-11-17 05:13:41.000000000 -0500 ++++ auth-rhosts.c +@@ -198,7 +198,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + return 0; -+#ifndef __INTERIX - /* - * Print the SSHFP RR. - */ -@@ -651,6 +652,7 @@ do_print_resource_record(struct passwd * - printf("failed to read v2 public key from %s.\n", identity_file); - exit(1); - } -+#endif /* __INTERIX */ - - /* - * Change the comment of a private key file. -@@ -769,7 +771,9 @@ usage(void) - fprintf(stderr, " -C comment Provide new comment.\n"); - fprintf(stderr, " -N phrase Provide new passphrase.\n"); - fprintf(stderr, " -P phrase Provide old passphrase.\n"); -+#ifndef __INTERIX - fprintf(stderr, " -r hostname Print DNS resource record.\n"); -+#endif /* __INTERIX */ - #ifdef SMARTCARD - fprintf(stderr, " -D reader Download public key from smartcard.\n"); - fprintf(stderr, " -U reader Upload private key to smartcard.\n"); -@@ -957,7 +961,11 @@ main(int ac, char **av) - if (print_public) - do_print_public(pw); - if (resource_record_hostname != NULL) { -+#ifndef __INTERIX - do_print_resource_record(pw, resource_record_hostname); -+#else /* __INTERIX */ -+ fatal("no support for DNS."); -+#endif /* __INTERIX */ + /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ +- if (pw->pw_uid != 0) { ++ if (pw->pw_uid != ROOTUID) { + if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, + client_user, pw->pw_name)) { + auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", +@@ -224,7 +224,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + return 0; } - if (reader_id != NULL) { - #ifdef SMARTCARD + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Rhosts authentication refused for %.100s: " + "bad ownership or modes for home directory.", pw->pw_name); +@@ -251,7 +251,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + * allowing access to their account by anyone. + */ + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Rhosts authentication refused for %.100s: bad modes for %.200s", + pw->pw_name, buf); diff --git a/security/openssh/patches/patch-ak b/security/openssh/patches/patch-ak index 5630390e381..ae734c68bde 100644 --- a/security/openssh/patches/patch-ak +++ b/security/openssh/patches/patch-ak @@ -1,36 +1,31 @@ -$NetBSD: patch-ak,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ak,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- sshconnect.c.orig 2004-06-22 04:56:02.000000000 +0200 -+++ sshconnect.c -@@ -727,6 +727,7 @@ check_host_key(char *host, struct sockad - /* The default */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - msg2[0] = '\0'; -+#ifndef __INTERIX - if (options.verify_host_key_dns) { - if (matching_host_key_dns) - snprintf(msg2, sizeof(msg2), -@@ -737,6 +738,7 @@ check_host_key(char *host, struct sockad - "No matching host key fingerprint" - " found in DNS.\n"); - } -+#endif /* __INTERIX */ - snprintf(msg, sizeof(msg), - "The authenticity of host '%.200s (%s)' can't be " - "established%s\n" -@@ -894,6 +896,7 @@ verify_host_key(char *host, struct socka - struct stat st; - int flags = 0; +--- auth.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth.c +@@ -356,7 +356,7 @@ check_key_in_hostfiles(struct passwd *pw + user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); + if (options.strict_modes && + (stat(user_hostfile, &st) == 0) && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Authentication refused for %.100s: " + "bad owner or modes for %.200s", +@@ -409,7 +409,7 @@ secure_filename(FILE *f, const char *fil -+#ifndef __INTERIX - if (options.verify_host_key_dns && - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { + /* check the open file to avoid races */ + if (fstat(fileno(f), &st) < 0 || +- (st.st_uid != 0 && st.st_uid != uid) || ++ (st.st_uid != ROOTUID && st.st_uid != uid) || + (st.st_mode & 022) != 0) { + snprintf(err, errlen, "bad ownership or modes for file %s", + buf); +@@ -426,7 +426,7 @@ secure_filename(FILE *f, const char *fil -@@ -913,6 +916,7 @@ verify_host_key(char *host, struct socka - } - } - } -+#endif /* !defined(__INTERIX) */ - - /* return ok if the key can be found in an old keyfile */ - if (stat(options.system_hostfile2, &st) == 0 || + debug3("secure_filename: checking '%s'", buf); + if (stat(buf, &st) < 0 || +- (st.st_uid != 0 && st.st_uid != uid) || ++ (st.st_uid != ROOTUID && st.st_uid != uid) || + (st.st_mode & 022) != 0) { + snprintf(err, errlen, + "bad ownership or modes for directory %s", buf); diff --git a/security/openssh/patches/patch-al b/security/openssh/patches/patch-al index 32d4b2cc34c..36c66fb9415 100644 --- a/security/openssh/patches/patch-al +++ b/security/openssh/patches/patch-al @@ -1,19 +1,24 @@ -$NetBSD: patch-al,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-al,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- openbsd-compat/getrrsetbyname.c.orig 2004-05-13 12:24:10.000000000 +0200 -+++ openbsd-compat/getrrsetbyname.c -@@ -47,7 +47,7 @@ - - #include "includes.h" - --#ifndef HAVE_GETRRSETBYNAME -+#if !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) - - #include "getrrsetbyname.h" - -@@ -578,4 +578,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t - return (n); - } - --#endif /* !defined(HAVE_GETRRSETBYNAME) */ -+#endif /* !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) */ +--- auth1.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth1.c +@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) + } + #else + /* Special handling for root */ +- if (authenticated && authctxt->pw->pw_uid == 0 && ++ if (authenticated && authctxt->pw->pw_uid == ROOTUID && + !auth_root_allowed(get_authname(type))) + authenticated = 0; + #endif +@@ -318,8 +318,8 @@ do_authentication(Authctxt *authctxt) + * If we are not running as root, the user must have the same uid as + * the server. (Unless you are running Windows) + */ +-#ifndef HAVE_CYGWIN +- if (!use_privsep && getuid() != 0 && authctxt->pw && ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) ++ if (!use_privsep && getuid() != ROOTUID && authctxt->pw && + authctxt->pw->pw_uid != getuid()) + packet_disconnect("Cannot change user when server not running as root."); + #endif diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am index f2e658719df..6f6406678a9 100644 --- a/security/openssh/patches/patch-am +++ b/security/openssh/patches/patch-am @@ -1,13 +1,13 @@ -$NetBSD: patch-am,v 1.3 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-am,v 1.4 2005/03/07 23:29:50 tv Exp $ ---- openbsd-compat/inet_ntop.c.orig Sun Nov 23 20:33:34 2003 -+++ openbsd-compat/inet_ntop.c -@@ -35,7 +35,7 @@ static char rcsid[] = "$OpenBSD: inet_nt - #include <sys/socket.h> - #include <netinet/in.h> - #include <arpa/inet.h> --#ifndef HAVE_CYGWIN -+#if !defined(HAVE_CYGWIN) && !defined(__INTERIX) - #include <arpa/nameser.h> - #endif - #include <string.h> +--- auth2.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth2.c +@@ -211,7 +211,7 @@ userauth_finish(Authctxt *authctxt, int + authctxt->user); + + /* Special handling for root */ +- if (authenticated && authctxt->pw->pw_uid == 0 && ++ if (authenticated && authctxt->pw->pw_uid == ROOTUID && + !auth_root_allowed(method)) + authenticated = 0; + diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an index b6f0eedc20c..42cabcf4d5e 100644 --- a/security/openssh/patches/patch-an +++ b/security/openssh/patches/patch-an @@ -1,52 +1,37 @@ -$NetBSD: patch-an,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-an,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- sshd.c.orig 2004-08-12 15:08:15.000000000 +0200 -+++ sshd.c -@@ -52,6 +52,9 @@ RCSID("$OpenBSD: sshd.c,v 1.301 2004/08/ - #include <sys/security.h> - #include <prot.h> - #endif -+#ifdef __INTERIX -+#include <interix/security.h> -+#endif /* __INTERIX */ +--- scp.c.orig 2004-08-13 07:19:38.000000000 -0400 ++++ scp.c +@@ -294,7 +294,11 @@ main(int argc, char **argv) + argc -= optind; + argv += optind; - #include "ssh.h" - #include "ssh1.h" -@@ -579,10 +582,15 @@ privsep_preauth_child(void) - /* XXX not ready, too heavy after chroot */ - do_setusercontext(pw); - #else -+#ifdef __INTERIX -+ if (setuser(SSH_PRIVSEP_USER, NULL, SU_COMPLETE) != 0) -+ fatal("setuser: %s, %.100s", SSH_PRIVSEP_USER, strerror(errno)); -+#else /* __INTERIX */ - gidset[0] = pw->pw_gid; - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(pw); -+#endif /* __INTERIX */ - #endif - } - -@@ -911,8 +919,10 @@ main(int ac, char **av) - av = saved_argv; - #endif - -+#ifndef __INTERIX - if (geteuid() == 0 && setgroups(0, NULL) == -1) - debug("setgroups(): %.200s", strerror(errno)); ++#ifdef HAVE_INTERIX ++ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL) ++#else + if ((pwd = getpwuid(userid = getuid())) == NULL) +#endif + fatal("unknown user %u", (u_int) userid); - /* Initialize configuration options to their default values. */ - initialize_server_options(&options); -@@ -1183,8 +1193,10 @@ main(int ac, char **av) - * to create a file, and we can't control the code in every - * module which might be used). - */ -+#ifndef __INTERIX - if (setgroups(0, NULL) < 0) - debug("setgroups() failed: %.200s", strerror(errno)); -+#endif /* __INTERIX */ - - if (rexec_flag) { - rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); + if (!isatty(STDERR_FILENO)) +@@ -637,8 +641,10 @@ rsource(char *name, struct stat *statp) + return; + } + while ((dp = readdir(dirp)) != NULL) { ++#ifndef HAVE_INTERIX + if (dp->d_ino == 0) + continue; ++#endif + if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) + continue; + if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { +@@ -1086,7 +1092,9 @@ okname(char *cp0) + case '\'': + case '"': + case '`': ++#ifndef HAVE_INTERIX + case ' ': ++#endif + case '#': + goto bad; + default: diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index b2f1b372821..6b5c21c82fb 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,31 +1,85 @@ -$NetBSD: patch-ao,v 1.5 2004/08/04 06:43:53 minskim Exp $ +$NetBSD: patch-ao,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- uidswap.c.orig Mon Feb 23 20:17:30 2004 -+++ uidswap.c -@@ -83,6 +83,7 @@ temporarily_use_uid(struct passwd *pw) - xfree(saved_egroups); +--- session.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ session.c +@@ -326,7 +326,7 @@ do_authenticated1(Authctxt *authctxt) + break; + } + debug("Received TCP/IP port forwarding request."); +- channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); ++ channel_input_port_forward_request(s->pw->pw_uid == ROOTUID, options.gateway_ports); + success = 1; + break; + +@@ -921,7 +921,7 @@ read_etc_default_login(char ***env, u_in + if (tmpenv == NULL) + return; + +- if (uid == 0) ++ if (uid == ROOTUID) + var = child_get_env(tmpenv, "SUPATH"); + else + var = child_get_env(tmpenv, "PATH"); +@@ -1020,7 +1020,7 @@ do_setup_env(Session *s, const char *she + # endif /* HAVE_ETC_DEFAULT_LOGIN */ + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", +- s->pw->pw_uid == 0 ? ++ s->pw->pw_uid == ROOTUID ? + SUPERUSER_PATH : _PATH_STDPATH); + } + # endif /* HAVE_CYGWIN */ +@@ -1124,6 +1124,18 @@ do_setup_env(Session *s, const char *she + strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); + read_environment_file(&env, &envsize, buf); } ++ ++#ifdef HAVE_INTERIX ++ { ++ /* copy standard Windows environment, then apply changes */ ++ env_t *winenv = env_login(pw); ++ env_putarray(winenv, env, ENV_OVERRIDE); ++ ++ /* swap over to altered environment as a traditional array */ ++ env = env_array(winenv); ++ } ++#endif ++ + if (debug_flag) { + /* dump the environment */ + fprintf(stderr, "Environment:\n"); +@@ -1234,9 +1246,9 @@ do_nologin(struct passwd *pw) + void + do_setusercontext(struct passwd *pw) + { +-#ifndef HAVE_CYGWIN ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) + if (getuid() == 0 || geteuid() == 0) +-#endif /* HAVE_CYGWIN */ ++#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ + { -+#ifndef __INTERIX - /* set and save the user's groups */ - if (user_groupslen == -1) { - if (initgroups(pw->pw_name, pw->pw_gid) < 0) -@@ -105,6 +106,7 @@ temporarily_use_uid(struct passwd *pw) - /* Set the effective uid to the given (unprivileged) uid. */ - if (setgroups(user_groupslen, user_groups) < 0) - fatal("setgroups: %.100s", strerror(errno)); -+#endif /* __INTERIX */ - #ifndef SAVED_IDS_WORK_WITH_SETEUID - /* Propagate the privileged gid to all of our gids. */ - if (setgid(getegid()) < 0) -@@ -152,8 +154,10 @@ restore_uid(void) - setgid(getgid()); - #endif /* SAVED_IDS_WORK_WITH_SETEUID */ + #ifdef HAVE_SETPCRED +@@ -1271,11 +1283,13 @@ do_setusercontext(struct passwd *pw) + perror("setgid"); + exit(1); + } ++# if !defined(HAVE_INTERIX) + /* Initialize the group list. */ + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { + perror("initgroups"); + exit(1); + } ++# endif /* !HAVE_INTERIX */ + endgrent(); + # ifdef USE_PAM + /* +@@ -1965,7 +1979,7 @@ session_pty_cleanup2(Session *s) + record_logout(s->pid, s->tty, s->pw->pw_name); -+#ifndef __INTERIX - if (setgroups(saved_egroupslen, saved_egroups) < 0) - fatal("setgroups: %.100s", strerror(errno)); -+#endif /* __INTERIX */ - temporarily_use_uid_effective = 0; - } + /* Release the pseudo-tty. */ +- if (getuid() == 0) ++ if (getuid() == ROOTUID) + pty_release(s->tty); + /* diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap index a8ceb435302..cbaac523636 100644 --- a/security/openssh/patches/patch-ap +++ b/security/openssh/patches/patch-ap @@ -1,18 +1,13 @@ -$NetBSD: patch-ap,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ap,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- session.c.orig 2004-08-12 14:40:25.000000000 +0200 -+++ session.c -@@ -1271,11 +1271,13 @@ do_setusercontext(struct passwd *pw) - perror("setgid"); - exit(1); - } -+#ifndef __INTERIX - /* Initialize the group list. */ - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { - perror("initgroups"); - exit(1); - } -+#endif /* __INTERIX */ - endgrent(); - # ifdef USE_PAM - /* +--- ssh.c.orig 2004-08-15 03:23:34.000000000 -0400 ++++ ssh.c +@@ -593,7 +593,7 @@ again: + /* Open a connection to the remote host. */ + if (ssh_connect(host, &hostaddr, options.port, + options.address_family, options.connection_attempts, +-#ifdef HAVE_CYGWIN ++#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) + options.use_privileged_port, + #else + original_effective_uid == 0 && options.use_privileged_port, diff --git a/security/openssh/patches/patch-aq b/security/openssh/patches/patch-aq index 6624baba4d4..a92d3e287c9 100644 --- a/security/openssh/patches/patch-aq +++ b/security/openssh/patches/patch-aq @@ -1,13 +1,22 @@ -$NetBSD: patch-aq,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-aq,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- packet.c.orig 2004-06-22 04:56:02.000000000 +0200 -+++ packet.c -@@ -1405,7 +1405,7 @@ packet_not_very_much_data_to_write(void) - static void - packet_set_tos(int interactive) +--- sshpty.c.orig 2004-06-21 22:56:02.000000000 -0400 ++++ sshpty.c +@@ -62,7 +62,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha + void + pty_release(const char *tty) { --#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) -+#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) && !defined(__INTERIX) - int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT; - - if (!packet_connection_is_on_socket() || +- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) ++ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0) + error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); + if (chmod(tty, (mode_t) 0666) < 0) + error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); +@@ -203,7 +203,7 @@ pty_setowner(struct passwd *pw, const ch + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { + if (chown(tty, pw->pw_uid, gid) < 0) { + if (errno == EROFS && +- (st.st_uid == pw->pw_uid || st.st_uid == 0)) ++ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID)) + debug("chown(%.100s, %u, %u) failed: %.100s", + tty, (u_int)pw->pw_uid, (u_int)gid, + strerror(errno)); diff --git a/security/openssh/patches/patch-ar b/security/openssh/patches/patch-ar index f5e3dfd5374..80862f82538 100644 --- a/security/openssh/patches/patch-ar +++ b/security/openssh/patches/patch-ar @@ -1,28 +1,50 @@ -$NetBSD: patch-ar,v 1.3 2004/11/04 12:46:33 markd Exp $ +$NetBSD: patch-ar,v 1.4 2005/03/07 23:29:50 tv Exp $ ---- includes.h.orig 2004-08-15 02:01:48.000000000 +1200 -+++ includes.h -@@ -176,11 +176,6 @@ static /**/const char *const rcsid[] = { - # include <libutil.h> /* Openpty on FreeBSD at least */ - #endif +--- uidswap.c.orig 2004-02-23 21:17:30.000000000 -0500 ++++ uidswap.c +@@ -56,12 +56,12 @@ temporarily_use_uid(struct passwd *pw) + debug("temporarily_use_uid: %u/%u (e=%u/%u)", + (u_int)pw->pw_uid, (u_int)pw->pw_gid, + (u_int)saved_euid, (u_int)saved_egid); +- if (saved_euid != 0) { ++ if (saved_euid != ROOTUID) { + privileged = 0; + return; + } + #else +- if (geteuid() != 0) { ++ if (geteuid() != ROOTUID) { + privileged = 0; + return; + } +@@ -85,9 +85,11 @@ temporarily_use_uid(struct passwd *pw) --#if defined(KRB5) && defined(USE_AFS) --# include <krb5.h> --# include <kafs.h> --#endif -- - /* - * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations - * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. -@@ -195,6 +190,11 @@ static /**/const char *const rcsid[] = { + /* set and save the user's groups */ + if (user_groupslen == -1) { ++#ifndef HAVE_INTERIX + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); ++#endif - #include "defines.h" + user_groupslen = getgroups(0, NULL); + if (user_groupslen < 0) +@@ -172,6 +174,10 @@ permanently_set_uid(struct passwd *pw) + debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, + (u_int)pw->pw_gid); -+#if defined(KRB5) && defined(USE_AFS) -+# include <krb5.h> -+# include <kafs.h> -+#endif -+ - #include "version.h" - #include "openbsd-compat/openbsd-compat.h" - #include "openbsd-compat/bsd-nextstep.h" ++#if defined(HAVE_INTERIX) ++ if (setuser(pw->pw_name, NULL, SU_COMPLETE)) ++ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); ++#else + #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) + fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); +@@ -218,6 +224,7 @@ permanently_set_uid(struct passwd *pw) + (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) + fatal("%s: was able to restore old [e]uid", __func__); + #endif ++#endif /* HAVE_INTERIX */ + + /* Verify UID drop was successful */ + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { diff --git a/security/openssh/patches/patch-as b/security/openssh/patches/patch-as new file mode 100644 index 00000000000..f4e324659ad --- /dev/null +++ b/security/openssh/patches/patch-as @@ -0,0 +1,20 @@ +$NetBSD: patch-as,v 1.3 2005/03/07 23:29:50 tv Exp $ + +--- log.h.orig 2004-06-21 22:57:44.000000000 -0400 ++++ log.h +@@ -53,7 +53,7 @@ void log_init(char *, LogLevel, Sysl + SyslogFacility log_facility_number(char *); + LogLevel log_level_number(char *); + +-void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); ++void fatal(const char *, ...) __noreturn __attribute__((format(printf, 1, 2))); + void error(const char *, ...) __attribute__((format(printf, 1, 2))); + void logit(const char *, ...) __attribute__((format(printf, 1, 2))); + void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); +@@ -62,5 +62,5 @@ void debug2(const char *, ...) __att + void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); + + void do_log(LogLevel, const char *, va_list); +-void cleanup_exit(int) __dead; ++void cleanup_exit(int) __noreturn; + #endif diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at new file mode 100644 index 00000000000..fc46d739006 --- /dev/null +++ b/security/openssh/patches/patch-at @@ -0,0 +1,16 @@ +$NetBSD: patch-at,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- servconf.c.orig 2004-08-13 07:30:24.000000000 -0400 ++++ servconf.c +@@ -233,7 +233,11 @@ fill_default_server_options(ServerOption + + /* Turn privilege separation on by default */ + if (use_privsep == -1) ++#ifdef HAVE_INTERIX ++ use_privsep = 0; ++#else + use_privsep = 1; ++#endif + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { diff --git a/security/openssh/patches/patch-au b/security/openssh/patches/patch-au new file mode 100644 index 00000000000..1922e4baf54 --- /dev/null +++ b/security/openssh/patches/patch-au @@ -0,0 +1,22 @@ +$NetBSD: patch-au,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- openbsd-compat/bsd-openpty.c.orig 2004-02-17 00:49:55.000000000 -0500 ++++ openbsd-compat/bsd-openpty.c +@@ -102,7 +102,7 @@ openpty(int *amaster, int *aslave, char + return (-1); + } + +-#ifndef HAVE_CYGWIN ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) + /* + * Try to push the appropriate streams modules, as described + * in Solaris pts(7). +@@ -112,7 +112,7 @@ openpty(int *amaster, int *aslave, char + # ifndef __hpux + ioctl(*aslave, I_PUSH, "ttcompat"); + # endif /* __hpux */ +-#endif /* HAVE_CYGWIN */ ++#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ + + return (0); + diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av new file mode 100644 index 00000000000..25a8a4a15a8 --- /dev/null +++ b/security/openssh/patches/patch-av @@ -0,0 +1,56 @@ +$NetBSD: patch-av,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- sshd.c.orig 2004-08-12 09:08:15.000000000 -0400 ++++ sshd.c +@@ -579,10 +579,15 @@ privsep_preauth_child(void) + /* XXX not ready, too heavy after chroot */ + do_setusercontext(pw); + #else ++#ifdef HAVE_INTERIX ++ if (setuser(pw->pw_name, NULL, SU_COMPLETE)) ++ fatal("setuser: %.100s", strerror(errno)); ++#else + gidset[0] = pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(pw); ++#endif /* HAVE_INTERIX */ + #endif + } + +@@ -622,7 +627,7 @@ privsep_preauth(Authctxt *authctxt) + close(pmonitor->m_sendfd); + + /* Demote the child */ +- if (getuid() == 0 || geteuid() == 0) ++ if (getuid() == ROOTUID || geteuid() == ROOTUID) + privsep_preauth_child(); + setproctitle("%s", "[net]"); + } +@@ -635,7 +640,7 @@ privsep_postauth(Authctxt *authctxt) + #ifdef DISABLE_FD_PASSING + if (1) { + #else +- if (authctxt->pw->pw_uid == 0 || options.use_login) { ++ if (authctxt->pw->pw_uid == ROOTUID || options.use_login) { + #endif + /* File descriptor passing is broken or root login */ + monitor_apply_keystate(pmonitor); +@@ -911,7 +916,7 @@ main(int ac, char **av) + av = saved_argv; + #endif + +- if (geteuid() == 0 && setgroups(0, NULL) == -1) ++ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + + /* Initialize configuration options to their default values. */ +@@ -1166,7 +1171,7 @@ main(int ac, char **av) + (st.st_uid != getuid () || + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) + #else +- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) ++ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) + #endif + fatal("%s must be owned by root and not group or " + "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); |