diff options
| -rw-r--r-- | security/openssh/Makefile | 26 | ||||
| -rw-r--r-- | security/openssh/PLIST | 3 | ||||
| -rw-r--r-- | security/openssh/distinfo | 15 | ||||
| -rw-r--r-- | security/openssh/files/org.openssh.sshd.sb.in | 23 | ||||
| -rw-r--r-- | security/openssh/patches/patch-auth2.c | 4 | ||||
| -rw-r--r-- | security/openssh/patches/patch-loginrec.c | 4 | ||||
| -rw-r--r-- | security/openssh/patches/patch-openbsd-compat_bsd-openpty.c | 4 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sandbox-darwin.c | 23 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sftp-common.c | 4 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sshd.c | 29 | ||||
| -rw-r--r-- | security/openssh/patches/patch-uidswap.c | 4 |
11 files changed, 106 insertions, 33 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index c2e49ec1411..8f623ef7f06 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.234 2015/07/30 03:20:36 taca Exp $ +# $NetBSD: Makefile,v 1.235 2015/08/14 08:57:00 jperkin Exp $ DISTNAME= openssh-6.9p1 PKGNAME= openssh-6.9.1 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} @@ -140,7 +140,7 @@ CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth CONFS= ssh_config sshd_config moduli -PLIST_VARS+= prng +PLIST_VARS+= darwin prng .if exists(/dev/urandom) . if ${OPSYS} == "NetBSD" @@ -153,7 +153,14 @@ PLIST.prng= yes .endif EGDIR= ${PREFIX}/share/examples/${PKGBASE} -CONF_FILES= # empty + +# enable privsep patches +.if ${OPSYS} == "Darwin" +CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb +CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__ +PLIST.darwin= yes +.endif + .for f in ${CONFS} CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} .endfor @@ -166,9 +173,9 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q} SUBST_CLASSES+= patch SUBST_STAGE.patch= pre-configure -SUBST_FILES.patch= session.c +SUBST_FILES.patch= session.c sandbox-darwin.c SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' -SUBST_MESSAGE.patch= More patch a file. +SUBST_VARS.patch= PKG_SYSCONFDIR .include "../../devel/zlib/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" @@ -189,6 +196,9 @@ post-configure: ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ fi + ${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \ + < ${FILESDIR}/org.openssh.sshd.sb.in \ + > ${WRKDIR}/org.openssh.sshd.sb post-install: ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} @@ -199,5 +209,9 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \ ${DESTDIR}${EGDIR}/sshd.pam .endif +.if ${OPSYS} == "Darwin" + ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \ + ${DESTDIR}${EGDIR}/org.openssh.sshd.sb +.endif .include "../../mk/bsd.pkg.mk" diff --git a/security/openssh/PLIST b/security/openssh/PLIST index 6aa5f151cb7..ebe150ae24d 100644 --- a/security/openssh/PLIST +++ b/security/openssh/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.16 2014/03/29 09:38:11 taca Exp $ +@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $ bin/scp bin/sftp bin/slogin @@ -28,6 +28,7 @@ man/man8/ssh-pkcs11-helper.8 man/man8/sshd.8 sbin/sshd share/examples/openssh/moduli +${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb share/examples/openssh/ssh_config ${PLIST.prng}share/examples/openssh/ssh_prng_cmds ${PLIST.pam}share/examples/openssh/sshd.pam diff --git a/security/openssh/distinfo b/security/openssh/distinfo index e0a13b26197..3a7fe49d531 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.94 2015/07/30 03:20:36 taca Exp $ +$NetBSD: distinfo,v 1.95 2015/08/14 08:57:00 jperkin Exp $ SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788 @@ -12,23 +12,24 @@ SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987 SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450 SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7 SHA1 (patch-auth2-chall.c) = 9edd679fc0a1d128786cea8939e804adb400c3c9 -SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405 +SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284 SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219 SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02 SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d -SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce -SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695 +SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373 +SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960 SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9 SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5 SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6 +SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0 SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e -SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd +SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545 SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15 -SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b +SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4 SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a -SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd +SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2 diff --git a/security/openssh/files/org.openssh.sshd.sb.in b/security/openssh/files/org.openssh.sshd.sb.in new file mode 100644 index 00000000000..e060377c928 --- /dev/null +++ b/security/openssh/files/org.openssh.sshd.sb.in @@ -0,0 +1,23 @@ +;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $ +;; +;; Copyright (c) 2008 Apple Inc. All Rights reserved. +;; +;; sshd - profile for privilege separated children +;; +;; WARNING: The sandbox rules in this file currently constitute +;; Apple System Private Interface and are subject to change at any time and +;; without notice. +;; + +(version 1) + +(deny default) + +(allow file-chroot) +(allow file-read-metadata (literal "@VARBASE@")) + +(allow sysctl-read) +(allow mach-per-user-lookup) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.logger")) diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c index f54e65d7f2f..e43029ad95e 100644 --- a/security/openssh/patches/patch-auth2.c +++ b/security/openssh/patches/patch-auth2.c @@ -1,10 +1,10 @@ -$NetBSD: patch-auth2.c,v 1.4 2015/07/09 16:14:23 taca Exp $ +$NetBSD: patch-auth2.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $ Replace uid 0 with ROOTUID macro --- auth2.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ auth2.c -@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int +@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ diff --git a/security/openssh/patches/patch-loginrec.c b/security/openssh/patches/patch-loginrec.c index 11bf035bd68..7394d49310d 100644 --- a/security/openssh/patches/patch-loginrec.c +++ b/security/openssh/patches/patch-loginrec.c @@ -1,8 +1,8 @@ -$NetBSD: patch-loginrec.c,v 1.3 2015/03/20 22:41:19 rodent Exp $ +$NetBSD: patch-loginrec.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $ Interix support and related fixes. Fix build on FreeBSD. ---- loginrec.c.orig 2014-01-17 01:23:24.000000000 +0000 +--- loginrec.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ loginrec.c @@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con int diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c index 2d706e37602..e7438d52856 100644 --- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c +++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c @@ -1,8 +1,8 @@ -$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1 2013/05/01 19:58:26 imil Exp $ +$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.2 2015/08/14 08:57:00 jperkin Exp $ Interix support ---- openbsd-compat/bsd-openpty.c.orig 2006-08-24 09:52:30.000000000 +0000 +--- openbsd-compat/bsd-openpty.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ openbsd-compat/bsd-openpty.c @@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char return (-1); diff --git a/security/openssh/patches/patch-sandbox-darwin.c b/security/openssh/patches/patch-sandbox-darwin.c new file mode 100644 index 00000000000..c19da070152 --- /dev/null +++ b/security/openssh/patches/patch-sandbox-darwin.c @@ -0,0 +1,23 @@ +$NetBSD: patch-sandbox-darwin.c,v 1.1 2015/08/14 08:57:00 jperkin Exp $ + +Support sandbox on newer OSX, from MacPorts. + +--- sandbox-darwin.c.orig 2015-07-01 02:35:31.000000000 +0000 ++++ sandbox-darwin.c +@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++#ifndef SANDBOX_NAMED_EXTERNAL ++#define SANDBOX_NAMED_EXTERNAL (0x3) ++#endif ++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb", ++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1) ++#else + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) ++#endif + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c index 80d7f87e721..c12b4fcf627 100644 --- a/security/openssh/patches/patch-sftp-common.c +++ b/security/openssh/patches/patch-sftp-common.c @@ -1,8 +1,8 @@ -$NetBSD: patch-sftp-common.c,v 1.2 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-sftp-common.c,v 1.3 2015/08/14 08:57:00 jperkin Exp $ Include <unistd.h> for strmode(3). ---- sftp-common.c.orig 2014-01-09 23:40:45.000000000 +0000 +--- sftp-common.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ sftp-common.c @@ -37,6 +37,9 @@ #include <string.h> diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index 872b92dc08e..24a67203e2f 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,4 +1,4 @@ -$NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ +$NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $ * Interix support * Revive tcp_wrappers support. @@ -24,9 +24,9 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ /* variables used for privilege separation */ +#ifdef HAVE_INTERIX - int use_privsep = -1; -+#else +int use_privsep = 0; ++#else + int use_privsep = -1; +#endif struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; @@ -47,16 +47,27 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif } -@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt) set_log_handler(mm_log_handler, pmonitor); /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++ /* We need to do this before we chroot() so we can read sshd.sb */ ++ if (box != NULL) ++ ssh_sandbox_child(box); ++#endif + if (getuid() == ROOTUID || geteuid() == ROOTUID) privsep_preauth_child(); setproctitle("%s", "[net]"); ++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ if (box != NULL) -@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt) + ssh_sandbox_child(box); ++#endif + + return 0; + } +@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -65,7 +76,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1485,8 +1501,10 @@ main(int ac, char **av) +@@ -1485,8 +1508,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -77,7 +88,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1915,7 +1933,7 @@ main(int ac, char **av) +@@ -1915,7 +1940,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -86,7 +97,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1938,8 +1956,10 @@ main(int ac, char **av) +@@ -1938,8 +1963,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -97,7 +108,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -2135,6 +2155,25 @@ main(int ac, char **av) +@@ -2135,6 +2162,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c index d28e7300566..bb46fb9e080 100644 --- a/security/openssh/patches/patch-uidswap.c +++ b/security/openssh/patches/patch-uidswap.c @@ -1,8 +1,8 @@ -$NetBSD: patch-uidswap.c,v 1.3 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-uidswap.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $ Interix support ---- uidswap.c.orig 2014-01-18 09:43:50.000000000 +0000 +--- uidswap.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ uidswap.c @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, |