diff options
Diffstat (limited to 'security/openssh')
24 files changed, 613 insertions, 337 deletions
diff --git a/security/openssh/MESSAGE.Interix b/security/openssh/MESSAGE.Interix new file mode 100644 index 00000000000..ee57d65d24d --- /dev/null +++ b/security/openssh/MESSAGE.Interix @@ -0,0 +1,20 @@ +=========================================================================== +$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $ + +OpenSSH on Interix has some important caveats: + +* Hostname resolution uses the BIND resolver library rather than Windows + native lookup services. This requires that /etc/resolv.conf be set up + properly with a "nameserver" line; see resolv.conf(5). In most + installations, this was generated automatically when Services for UNIX + was installed (based on the name server in use at that time). + +* Currently, UsePrivilegeSeparation does not work properly, so it defaults + to "no" on Interix. + +* Network drives and encrypted local files may not be accessible after + logging in through sshd thanks to the way the Windows security API works. + A workaround is to "exec su USERNAME" after logging in, which will use + the password to create a proper Windows access credential key. + +=========================================================================== diff --git a/security/openssh/Makefile b/security/openssh/Makefile index c18345ae0ac..5bdd2f705ab 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.146 2004/12/28 02:47:49 reed Exp $ +# $NetBSD: Makefile,v 1.147 2005/03/07 23:29:49 tv Exp $ DISTNAME= openssh-3.9p1 PKGNAME= openssh-3.9.1 -PKGREVISION= 4 +PKGREVISION= 5 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ @@ -34,11 +34,26 @@ BUILD_DEFS+= USE_INET6 INSTALL_TARGET= install-nokeys PLIST_SRC= # empty -MESSAGE_SRC= ${.CURDIR}/MESSAGE +.if ${OPSYS} == "Interix" + +# normal MESSAGE does not apply, as privsep is not in use +MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix +BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind /usr/local/lib/bind +CONFIGURE_ENV+= ac_cv_func_openpty=no +CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes +CPPFLAGS+= -I/usr/local/include/bind +LDFLAGS+= -L/usr/local/lib/bind +LIBS+= -lbind -ldb -lcrypt + +.else # not Interix + +MESSAGE_SRC= ${.CURDIR}/MESSAGE PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}:${OPENSSH_UID}:sshd\\ privsep:${OPENSSH_CHROOT}:${NOLOGIN} PKG_GROUPS= ${OPENSSH_GROUP}:${OPENSSH_GID} +.endif + SSH_PID_DIR= ${VARBASE}/run # default directory for PID files PKG_SYSCONFSUBDIR= ssh @@ -55,8 +70,11 @@ CONFIGURE_ARGS+= --mandir=${PREFIX}/${MANDIR} CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR} CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE} CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers} + +.if ${OPSYS} != "Interix" CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT} CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER} +.endif # the openssh configure script finds and uses ${LD} if defined and # defaults to ${CC} if not. we override LD here, since running the @@ -64,10 +82,6 @@ CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER} # CONFIGURE_ENV+= LD=${CC:Q} -.if ${OPSYS} == "Interix" -CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes -.endif - # Enable S/Key support on NetBSD, Darwin, and Solaris. .if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS") . include "../../security/skey/buildlink3.mk" diff --git a/security/openssh/distinfo b/security/openssh/distinfo index e3c62982bba..caef957a381 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,25 +1,29 @@ -$NetBSD: distinfo,v 1.38 2005/02/24 13:10:08 agc Exp $ +$NetBSD: distinfo,v 1.39 2005/03/07 23:29:49 tv Exp $ SHA1 (openssh-3.9p1.tar.gz) = 80b19d83a9d4717f5c38b2d950501e1471f60afc RMD160 (openssh-3.9p1.tar.gz) = e4abf280a18e3ae046d0dee19dab919bba8e5568 Size (openssh-3.9p1.tar.gz) = 854027 bytes SHA1 (openssh-3.9p1-hpn.diff) = 1821c590b9b5effa3750ebf0166fe3f22d00faad Size (openssh-3.9p1-hpn.diff) = 8387 bytes -SHA1 (patch-aa) = 5d0b1cf5cf92e0d314e6458b225074a73f35f857 -SHA1 (patch-ab) = 662440f96d38e43b0c8de7bef260f82d8b7ab737 -SHA1 (patch-ac) = 3ad72f42b066ef1f48e276bccd438da2d6fde980 -SHA1 (patch-ad) = 6a0c4edd2217f22f7c9622fb38124287e93c5fc8 -SHA1 (patch-ae) = fece020b1c2432f4ac5b62104be808aa3f70ea22 -SHA1 (patch-af) = 444fadaafdb45adc1008cbf106cd28c075700616 -SHA1 (patch-ag) = d0c93842739da39b588acdb0449a2562e05497d3 +SHA1 (patch-aa) = 6bceb5b0480727c6c4e0cf662fa85cffebf91bdb +SHA1 (patch-ab) = f43a6b627a4f2b8ecd74b016ce29b5f8091d877e +SHA1 (patch-ac) = d851513c2a115358671bf9efafab1e3ee9166088 +SHA1 (patch-ad) = 9f862bc0bdcb7285ffaf2b7f2685e363ff8daba3 +SHA1 (patch-ae) = d7bcee7a84457c96951c3da82aa689fa818a07b6 +SHA1 (patch-af) = ec6b439a3a4a0d2e5b13685c4d94deb26bbece45 +SHA1 (patch-ag) = dbdbefa00b2ec7e6ee3cf4441d1fc817ecefc742 SHA1 (patch-ah) = 85a8f0fa5ddf13f8342faaff6bf81fcd3ad6648a -SHA1 (patch-ai) = da31e53b3ccbef24abc6418ee466f1e43fdd7447 -SHA1 (patch-aj) = ea07f23e66863e78bbe2cfced747795cb6c2f7ba -SHA1 (patch-ak) = fe65dbf8771f6515d32ed994723b979f8e3211d6 -SHA1 (patch-al) = 5a0aed20f0c75b5bbcf4abce1e50d1ced3990ca7 -SHA1 (patch-am) = a88eb34b83789453b8e212b14f33d8e98d153667 -SHA1 (patch-an) = 4694cd36c85d76fe42411600a482dcfa1421f704 -SHA1 (patch-ao) = 00750c5f80bced34c54558cbd5ad3b96384e0d00 -SHA1 (patch-ap) = ba0a85060632dfa3939b7316f0acecfa3100082d -SHA1 (patch-aq) = ee466164b653f521445884e119627f4927fabbe0 -SHA1 (patch-ar) = 1c551d1459cd690a2d5c5383a2b1726707df9134 +SHA1 (patch-ai) = ccc43f0523bf2b0e28d7e169eda59b1ff1a2215b +SHA1 (patch-aj) = 44f2b11949a4dea6a8760b8397db5360b64bf01f +SHA1 (patch-ak) = 6140fe665aa84ab8127e0d9ede44945f196392e4 +SHA1 (patch-al) = 3168440d9e584a504b21802edb4dbeb58e87e8d2 +SHA1 (patch-am) = 50e46970b8eff07b931a34313d863e13af838440 +SHA1 (patch-an) = 1ffc3704bf925f87fb787c93f6f10d1b0c06bdd0 +SHA1 (patch-ao) = 0677e5f8a1a9a2f6b600789ff3fea627af472bc0 +SHA1 (patch-ap) = b006a1b49f19ab322fc179a1f2e4238807a64b87 +SHA1 (patch-aq) = 3786a41a974d6583f379350068a762a725b8334d +SHA1 (patch-ar) = 90f2534c0fb01f7909ee88c7849092a9e7882a7d +SHA1 (patch-as) = ecb23bc4c07d8ac7599b6f6576ad39bb4dcedbab +SHA1 (patch-at) = c6b85eb24279f18a430b86aeda3f8d2fa1c8d018 +SHA1 (patch-au) = 2a8926edfb65a8ecf7786411cee3d1723247764b +SHA1 (patch-av) = ef8fca98fad60cad4ba4197e8579544f37a4fcee diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa index 049f4af140f..4a0e2273257 100644 --- a/security/openssh/patches/patch-aa +++ b/security/openssh/patches/patch-aa @@ -1,16 +1,44 @@ -$NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ +$NetBSD: patch-aa,v 1.37 2005/03/07 23:29:49 tv Exp $ ---- configure.orig 2004-08-17 14:54:53.000000000 +0200 +--- configure.orig 2004-08-17 08:54:53.000000000 -0400 +++ configure -@@ -6101,8 +6101,18 @@ _ACEOF +@@ -6101,8 +6101,46 @@ _ACEOF _ACEOF ;; + +*-*-interix3) -+ cat >>confdefs.h <<\EOF ++ cat >>confdefs.h <<\_ACEOF ++#define HAVE_INTERIX 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define DISABLE_FD_PASSING 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define DISABLE_SHADOW 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define IP_TOS_IS_BROKEN 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF +#define MISSING_HOWMANY 1 -+EOF ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define NO_IPPORT_RESERVED_CONCEPT 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define SETGROUPS_NOOP 1 ++_ACEOF ++ ++ cat >>confdefs.h <<\_ACEOF ++#define USE_PIPES 1 ++_ACEOF + + ;; esac @@ -21,7 +49,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ # Allow user to specify flags # Check whether --with-cflags or --without-cflags was given. -@@ -23790,12 +23800,19 @@ fi +@@ -23790,12 +23828,19 @@ fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -44,7 +72,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ cat >>confdefs.h <<_ACEOF #define CONF_UTMPX_FILE "$conf_utmpx_location" _ACEOF -@@ -23864,12 +23881,20 @@ fi +@@ -23864,12 +23909,20 @@ fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -67,7 +95,7 @@ $NetBSD: patch-aa,v 1.36 2004/08/31 11:27:11 wiz Exp $ cat >>confdefs.h <<_ACEOF #define CONF_WTMPX_FILE "$conf_wtmpx_location" _ACEOF -@@ -25091,7 +25116,7 @@ echo "OpenSSH has been configured with t +@@ -25091,7 +25144,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab index 804fdb5e562..6445d9f482a 100644 --- a/security/openssh/patches/patch-ab +++ b/security/openssh/patches/patch-ab @@ -1,14 +1,21 @@ -$NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ab,v 1.20 2005/03/07 23:29:49 tv Exp $ ---- configure.ac.orig 2004-08-16 15:12:06.000000000 +0200 +--- configure.ac.orig 2004-08-16 09:12:06.000000000 -0400 +++ configure.ac -@@ -469,8 +469,15 @@ mips-sony-bsd|mips-sony-newsos4) +@@ -469,8 +469,22 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(MISSING_HOWMANY) AC_DEFINE(MISSING_FD_MASK) ;; + -+*-*-interix3) ++*-*-interix3*) ++ AC_DEFINE(HAVE_INTERIX) ++ AC_DEFINE(DISABLE_FD_PASSING) ++ AC_DEFINE(DISABLE_SHADOW) ++ AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(MISSING_HOWMANY) ++ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) ++ AC_DEFINE(SETGROUPS_NOOP) ++ AC_DEFINE(USE_PIPES) + ;; esac @@ -18,7 +25,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ # Allow user to specify flags AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], -@@ -2885,9 +2892,17 @@ AC_TRY_COMPILE([ +@@ -2885,9 +2899,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -38,7 +45,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") fi -@@ -2910,9 +2925,17 @@ AC_TRY_COMPILE([ +@@ -2910,9 +2932,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -58,7 +65,7 @@ $NetBSD: patch-ab,v 1.19 2004/08/31 11:27:12 wiz Exp $ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") fi -@@ -2953,7 +2976,7 @@ echo "OpenSSH has been configured with t +@@ -2953,7 +2983,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac index 6c5f5618715..da61f89b83d 100644 --- a/security/openssh/patches/patch-ac +++ b/security/openssh/patches/patch-ac @@ -1,8 +1,35 @@ -$NetBSD: patch-ac,v 1.11 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ac,v 1.12 2005/03/07 23:29:49 tv Exp $ ---- defines.h.orig 2004-06-22 05:27:16.000000000 +0200 +--- defines.h.orig 2004-06-21 23:27:16.000000000 -0400 +++ defines.h -@@ -591,6 +591,24 @@ struct winsize { +@@ -30,6 +30,15 @@ + + /* Constants */ + ++#ifdef HAVE_INTERIX ++/* Interix has a special concept of "administrator". */ ++# define ROOTUID 197108 ++# define ROOTGID 131616 ++#else ++# define ROOTUID 0 ++# define ROOTGID 0 ++#endif ++ + #ifndef SHUT_RDWR + enum + { +@@ -424,8 +433,8 @@ struct winsize { + # define __attribute__(x) + #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +-#ifndef __dead +-# define __dead __attribute__((noreturn)) ++#ifndef __noreturn ++# define __noreturn __attribute__((noreturn)) + #endif + + /* *-*-nto-qnx doesn't define this macro in the system headers */ +@@ -591,6 +600,24 @@ struct winsize { # endif # endif #endif diff --git a/security/openssh/patches/patch-ad b/security/openssh/patches/patch-ad index cf79d713caa..8b84bf78efa 100644 --- a/security/openssh/patches/patch-ad +++ b/security/openssh/patches/patch-ad @@ -1,7 +1,18 @@ -$NetBSD: patch-ad,v 1.8 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ad,v 1.9 2005/03/07 23:29:49 tv Exp $ ---- loginrec.c.orig 2004-08-15 11:12:52.000000000 +0200 +--- loginrec.c.orig 2004-08-15 05:12:52.000000000 -0400 +++ loginrec.c +@@ -406,8 +406,8 @@ login_set_addr(struct logininfo *li, con + int + login_write (struct logininfo *li) + { +-#ifndef HAVE_CYGWIN +- if ((int)geteuid() != 0) { ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) ++ if ((int)geteuid() != ROOTUID) { + logit("Attempt to write login records by non-root user (aborting)"); + return 1; + } @@ -415,7 +415,7 @@ login_write (struct logininfo *li) /* set the timestamp */ diff --git a/security/openssh/patches/patch-ae b/security/openssh/patches/patch-ae index b21e674e7f9..73f0dd1010e 100644 --- a/security/openssh/patches/patch-ae +++ b/security/openssh/patches/patch-ae @@ -1,21 +1,15 @@ -$NetBSD: patch-ae,v 1.8 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-ae,v 1.9 2005/03/07 23:29:49 tv Exp $ ---- openbsd-compat/getrrsetbyname.h.orig Mon Jan 26 23:40:35 2004 -+++ openbsd-compat/getrrsetbyname.h -@@ -50,7 +50,7 @@ - - #include "includes.h" - --#ifndef HAVE_GETRRSETBYNAME -+#if !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) - - #include <sys/types.h> - #include <netinet/in.h> -@@ -105,6 +105,6 @@ struct rrsetinfo { - int getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **); - void freerrset(struct rrsetinfo *); - --#endif /* !defined(HAVE_GETRRSETBYNAME) */ -+#endif /* !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) */ - - #endif /* _GETRRSETBYNAME_H */ +--- includes.h.orig 2004-08-14 10:01:48.000000000 -0400 ++++ includes.h +@@ -163,6 +163,10 @@ static /**/const char *const rcsid[] = { + #ifdef HAVE_READPASSPHRASE_H + # include <readpassphrase.h> + #endif ++#ifdef HAVE_INTERIX ++# include <interix/env.h> ++# include <interix/security.h> ++#endif + + #ifdef HAVE_IA_H + # include <ia.h> diff --git a/security/openssh/patches/patch-af b/security/openssh/patches/patch-af index 40ea1821521..9bac212ffe2 100644 --- a/security/openssh/patches/patch-af +++ b/security/openssh/patches/patch-af @@ -1,17 +1,26 @@ -$NetBSD: patch-af,v 1.6 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-af,v 1.7 2005/03/07 23:29:50 tv Exp $ ---- dns.c.orig Fri Nov 21 06:48:55 2003 -+++ dns.c -@@ -28,6 +28,7 @@ +--- auth-passwd.c.orig 2004-06-21 23:37:11.000000000 -0400 ++++ auth-passwd.c +@@ -69,7 +69,7 @@ auth_password(Authctxt *authctxt, const + #endif - #include "includes.h" - -+#ifndef __INTERIX - #include <openssl/bn.h> - #ifdef LWRES - #include <lwres/netdb.h> -@@ -273,3 +274,4 @@ export_dns_rr(const char *hostname, cons - - return success; + #ifndef HAVE_CYGWIN +- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ++ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) + ok = 0; + #endif + if (*password == '\0' && options.permit_empty_passwd == 0) +@@ -106,8 +106,11 @@ auth_password(Authctxt *authctxt, const + } + } + #endif +- ++#ifdef HAVE_INTERIX ++ return (!setuser(pw->pw_name, password, SU_CHECK) && ok); ++#else + return (sys_auth_passwd(authctxt, password) && ok); ++#endif } -+#endif /* __INTERIX */ + + #ifdef BSD_AUTH diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag index 0a09db12b05..3f9612122ad 100644 --- a/security/openssh/patches/patch-ag +++ b/security/openssh/patches/patch-ag @@ -1,14 +1,14 @@ -$NetBSD: patch-ag,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ag,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- readconf.c.orig 2004-07-17 08:12:08.000000000 +0200 -+++ readconf.c -@@ -187,7 +187,9 @@ static struct { - #endif - { "clearallforwardings", oClearAllForwardings }, - { "enablesshkeysign", oEnableSSHKeysign }, -+#ifndef __INTERIX - { "verifyhostkeydns", oVerifyHostKeyDNS }, -+#endif /* __INTERIX */ - { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, - { "rekeylimit", oRekeyLimit }, - { "connecttimeout", oConnectTimeout }, +--- config.h.in.orig 2004-08-17 08:54:51.000000000 -0400 ++++ config.h.in +@@ -116,6 +116,9 @@ + /* Define if you are on Cygwin */ + #undef HAVE_CYGWIN + ++/* Define if you are on Interix */ ++#undef HAVE_INTERIX ++ + /* Define if you have a broken realpath. */ + #undef BROKEN_REALPATH + diff --git a/security/openssh/patches/patch-ai b/security/openssh/patches/patch-ai index 0134551e3d1..cf833b8272d 100644 --- a/security/openssh/patches/patch-ai +++ b/security/openssh/patches/patch-ai @@ -1,19 +1,13 @@ -$NetBSD: patch-ai,v 1.6 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-ai,v 1.7 2005/03/07 23:29:50 tv Exp $ ---- dns.h.orig Mon Nov 17 04:19:29 2003 -+++ dns.h -@@ -31,6 +31,7 @@ - #ifndef DNS_H - #define DNS_H +--- openbsd-compat/bsd-misc.c.orig 2004-08-15 04:41:00.000000000 -0400 ++++ openbsd-compat/bsd-misc.c +@@ -122,7 +122,7 @@ int truncate(const char *path, off_t len + } + #endif /* HAVE_TRUNCATE */ -+#ifndef __INTERIX - enum sshfp_types { - SSHFP_KEY_RESERVED, - SSHFP_KEY_RSA, -@@ -52,5 +53,6 @@ enum sshfp_hashes { - - int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); - int export_dns_rr(const char *, const Key *, FILE *, int); -+#endif /* __INTERIX */ - - #endif /* DNS_H */ +-#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) ++#if defined(SETGROUPS_NOOP) + /* + * Cygwin setgroups should be a noop. + */ diff --git a/security/openssh/patches/patch-aj b/security/openssh/patches/patch-aj index 03640845bd7..a76b5e4a3bc 100644 --- a/security/openssh/patches/patch-aj +++ b/security/openssh/patches/patch-aj @@ -1,42 +1,31 @@ -$NetBSD: patch-aj,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-aj,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- ssh-keygen.c.orig 2004-07-17 08:12:08.000000000 +0200 -+++ ssh-keygen.c -@@ -622,6 +622,7 @@ do_change_passphrase(struct passwd *pw) - exit(0); - } +--- auth-rhosts.c.orig 2003-11-17 05:13:41.000000000 -0500 ++++ auth-rhosts.c +@@ -198,7 +198,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + return 0; -+#ifndef __INTERIX - /* - * Print the SSHFP RR. - */ -@@ -651,6 +652,7 @@ do_print_resource_record(struct passwd * - printf("failed to read v2 public key from %s.\n", identity_file); - exit(1); - } -+#endif /* __INTERIX */ - - /* - * Change the comment of a private key file. -@@ -769,7 +771,9 @@ usage(void) - fprintf(stderr, " -C comment Provide new comment.\n"); - fprintf(stderr, " -N phrase Provide new passphrase.\n"); - fprintf(stderr, " -P phrase Provide old passphrase.\n"); -+#ifndef __INTERIX - fprintf(stderr, " -r hostname Print DNS resource record.\n"); -+#endif /* __INTERIX */ - #ifdef SMARTCARD - fprintf(stderr, " -D reader Download public key from smartcard.\n"); - fprintf(stderr, " -U reader Upload private key to smartcard.\n"); -@@ -957,7 +961,11 @@ main(int ac, char **av) - if (print_public) - do_print_public(pw); - if (resource_record_hostname != NULL) { -+#ifndef __INTERIX - do_print_resource_record(pw, resource_record_hostname); -+#else /* __INTERIX */ -+ fatal("no support for DNS."); -+#endif /* __INTERIX */ + /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ +- if (pw->pw_uid != 0) { ++ if (pw->pw_uid != ROOTUID) { + if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, + client_user, pw->pw_name)) { + auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", +@@ -224,7 +224,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + return 0; } - if (reader_id != NULL) { - #ifdef SMARTCARD + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Rhosts authentication refused for %.100s: " + "bad ownership or modes for home directory.", pw->pw_name); +@@ -251,7 +251,7 @@ auth_rhosts2_raw(struct passwd *pw, cons + * allowing access to their account by anyone. + */ + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Rhosts authentication refused for %.100s: bad modes for %.200s", + pw->pw_name, buf); diff --git a/security/openssh/patches/patch-ak b/security/openssh/patches/patch-ak index 5630390e381..ae734c68bde 100644 --- a/security/openssh/patches/patch-ak +++ b/security/openssh/patches/patch-ak @@ -1,36 +1,31 @@ -$NetBSD: patch-ak,v 1.5 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ak,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- sshconnect.c.orig 2004-06-22 04:56:02.000000000 +0200 -+++ sshconnect.c -@@ -727,6 +727,7 @@ check_host_key(char *host, struct sockad - /* The default */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - msg2[0] = '\0'; -+#ifndef __INTERIX - if (options.verify_host_key_dns) { - if (matching_host_key_dns) - snprintf(msg2, sizeof(msg2), -@@ -737,6 +738,7 @@ check_host_key(char *host, struct sockad - "No matching host key fingerprint" - " found in DNS.\n"); - } -+#endif /* __INTERIX */ - snprintf(msg, sizeof(msg), - "The authenticity of host '%.200s (%s)' can't be " - "established%s\n" -@@ -894,6 +896,7 @@ verify_host_key(char *host, struct socka - struct stat st; - int flags = 0; +--- auth.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth.c +@@ -356,7 +356,7 @@ check_key_in_hostfiles(struct passwd *pw + user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); + if (options.strict_modes && + (stat(user_hostfile, &st) == 0) && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ++ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + logit("Authentication refused for %.100s: " + "bad owner or modes for %.200s", +@@ -409,7 +409,7 @@ secure_filename(FILE *f, const char *fil -+#ifndef __INTERIX - if (options.verify_host_key_dns && - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { + /* check the open file to avoid races */ + if (fstat(fileno(f), &st) < 0 || +- (st.st_uid != 0 && st.st_uid != uid) || ++ (st.st_uid != ROOTUID && st.st_uid != uid) || + (st.st_mode & 022) != 0) { + snprintf(err, errlen, "bad ownership or modes for file %s", + buf); +@@ -426,7 +426,7 @@ secure_filename(FILE *f, const char *fil -@@ -913,6 +916,7 @@ verify_host_key(char *host, struct socka - } - } - } -+#endif /* !defined(__INTERIX) */ - - /* return ok if the key can be found in an old keyfile */ - if (stat(options.system_hostfile2, &st) == 0 || + debug3("secure_filename: checking '%s'", buf); + if (stat(buf, &st) < 0 || +- (st.st_uid != 0 && st.st_uid != uid) || ++ (st.st_uid != ROOTUID && st.st_uid != uid) || + (st.st_mode & 022) != 0) { + snprintf(err, errlen, + "bad ownership or modes for directory %s", buf); diff --git a/security/openssh/patches/patch-al b/security/openssh/patches/patch-al index 32d4b2cc34c..36c66fb9415 100644 --- a/security/openssh/patches/patch-al +++ b/security/openssh/patches/patch-al @@ -1,19 +1,24 @@ -$NetBSD: patch-al,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-al,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- openbsd-compat/getrrsetbyname.c.orig 2004-05-13 12:24:10.000000000 +0200 -+++ openbsd-compat/getrrsetbyname.c -@@ -47,7 +47,7 @@ - - #include "includes.h" - --#ifndef HAVE_GETRRSETBYNAME -+#if !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) - - #include "getrrsetbyname.h" - -@@ -578,4 +578,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t - return (n); - } - --#endif /* !defined(HAVE_GETRRSETBYNAME) */ -+#endif /* !defined(HAVE_GETRRSETBYNAME) && !defined(__INTERIX) */ +--- auth1.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth1.c +@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) + } + #else + /* Special handling for root */ +- if (authenticated && authctxt->pw->pw_uid == 0 && ++ if (authenticated && authctxt->pw->pw_uid == ROOTUID && + !auth_root_allowed(get_authname(type))) + authenticated = 0; + #endif +@@ -318,8 +318,8 @@ do_authentication(Authctxt *authctxt) + * If we are not running as root, the user must have the same uid as + * the server. (Unless you are running Windows) + */ +-#ifndef HAVE_CYGWIN +- if (!use_privsep && getuid() != 0 && authctxt->pw && ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) ++ if (!use_privsep && getuid() != ROOTUID && authctxt->pw && + authctxt->pw->pw_uid != getuid()) + packet_disconnect("Cannot change user when server not running as root."); + #endif diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am index f2e658719df..6f6406678a9 100644 --- a/security/openssh/patches/patch-am +++ b/security/openssh/patches/patch-am @@ -1,13 +1,13 @@ -$NetBSD: patch-am,v 1.3 2004/08/04 06:43:52 minskim Exp $ +$NetBSD: patch-am,v 1.4 2005/03/07 23:29:50 tv Exp $ ---- openbsd-compat/inet_ntop.c.orig Sun Nov 23 20:33:34 2003 -+++ openbsd-compat/inet_ntop.c -@@ -35,7 +35,7 @@ static char rcsid[] = "$OpenBSD: inet_nt - #include <sys/socket.h> - #include <netinet/in.h> - #include <arpa/inet.h> --#ifndef HAVE_CYGWIN -+#if !defined(HAVE_CYGWIN) && !defined(__INTERIX) - #include <arpa/nameser.h> - #endif - #include <string.h> +--- auth2.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ auth2.c +@@ -211,7 +211,7 @@ userauth_finish(Authctxt *authctxt, int + authctxt->user); + + /* Special handling for root */ +- if (authenticated && authctxt->pw->pw_uid == 0 && ++ if (authenticated && authctxt->pw->pw_uid == ROOTUID && + !auth_root_allowed(method)) + authenticated = 0; + diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an index b6f0eedc20c..42cabcf4d5e 100644 --- a/security/openssh/patches/patch-an +++ b/security/openssh/patches/patch-an @@ -1,52 +1,37 @@ -$NetBSD: patch-an,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-an,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- sshd.c.orig 2004-08-12 15:08:15.000000000 +0200 -+++ sshd.c -@@ -52,6 +52,9 @@ RCSID("$OpenBSD: sshd.c,v 1.301 2004/08/ - #include <sys/security.h> - #include <prot.h> - #endif -+#ifdef __INTERIX -+#include <interix/security.h> -+#endif /* __INTERIX */ +--- scp.c.orig 2004-08-13 07:19:38.000000000 -0400 ++++ scp.c +@@ -294,7 +294,11 @@ main(int argc, char **argv) + argc -= optind; + argv += optind; - #include "ssh.h" - #include "ssh1.h" -@@ -579,10 +582,15 @@ privsep_preauth_child(void) - /* XXX not ready, too heavy after chroot */ - do_setusercontext(pw); - #else -+#ifdef __INTERIX -+ if (setuser(SSH_PRIVSEP_USER, NULL, SU_COMPLETE) != 0) -+ fatal("setuser: %s, %.100s", SSH_PRIVSEP_USER, strerror(errno)); -+#else /* __INTERIX */ - gidset[0] = pw->pw_gid; - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(pw); -+#endif /* __INTERIX */ - #endif - } - -@@ -911,8 +919,10 @@ main(int ac, char **av) - av = saved_argv; - #endif - -+#ifndef __INTERIX - if (geteuid() == 0 && setgroups(0, NULL) == -1) - debug("setgroups(): %.200s", strerror(errno)); ++#ifdef HAVE_INTERIX ++ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL) ++#else + if ((pwd = getpwuid(userid = getuid())) == NULL) +#endif + fatal("unknown user %u", (u_int) userid); - /* Initialize configuration options to their default values. */ - initialize_server_options(&options); -@@ -1183,8 +1193,10 @@ main(int ac, char **av) - * to create a file, and we can't control the code in every - * module which might be used). - */ -+#ifndef __INTERIX - if (setgroups(0, NULL) < 0) - debug("setgroups() failed: %.200s", strerror(errno)); -+#endif /* __INTERIX */ - - if (rexec_flag) { - rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); + if (!isatty(STDERR_FILENO)) +@@ -637,8 +641,10 @@ rsource(char *name, struct stat *statp) + return; + } + while ((dp = readdir(dirp)) != NULL) { ++#ifndef HAVE_INTERIX + if (dp->d_ino == 0) + continue; ++#endif + if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) + continue; + if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { +@@ -1086,7 +1092,9 @@ okname(char *cp0) + case '\'': + case '"': + case '`': ++#ifndef HAVE_INTERIX + case ' ': ++#endif + case '#': + goto bad; + default: diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index b2f1b372821..6b5c21c82fb 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,31 +1,85 @@ -$NetBSD: patch-ao,v 1.5 2004/08/04 06:43:53 minskim Exp $ +$NetBSD: patch-ao,v 1.6 2005/03/07 23:29:50 tv Exp $ ---- uidswap.c.orig Mon Feb 23 20:17:30 2004 -+++ uidswap.c -@@ -83,6 +83,7 @@ temporarily_use_uid(struct passwd *pw) - xfree(saved_egroups); +--- session.c.orig 2004-08-12 08:40:25.000000000 -0400 ++++ session.c +@@ -326,7 +326,7 @@ do_authenticated1(Authctxt *authctxt) + break; + } + debug("Received TCP/IP port forwarding request."); +- channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); ++ channel_input_port_forward_request(s->pw->pw_uid == ROOTUID, options.gateway_ports); + success = 1; + break; + +@@ -921,7 +921,7 @@ read_etc_default_login(char ***env, u_in + if (tmpenv == NULL) + return; + +- if (uid == 0) ++ if (uid == ROOTUID) + var = child_get_env(tmpenv, "SUPATH"); + else + var = child_get_env(tmpenv, "PATH"); +@@ -1020,7 +1020,7 @@ do_setup_env(Session *s, const char *she + # endif /* HAVE_ETC_DEFAULT_LOGIN */ + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", +- s->pw->pw_uid == 0 ? ++ s->pw->pw_uid == ROOTUID ? + SUPERUSER_PATH : _PATH_STDPATH); + } + # endif /* HAVE_CYGWIN */ +@@ -1124,6 +1124,18 @@ do_setup_env(Session *s, const char *she + strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); + read_environment_file(&env, &envsize, buf); } ++ ++#ifdef HAVE_INTERIX ++ { ++ /* copy standard Windows environment, then apply changes */ ++ env_t *winenv = env_login(pw); ++ env_putarray(winenv, env, ENV_OVERRIDE); ++ ++ /* swap over to altered environment as a traditional array */ ++ env = env_array(winenv); ++ } ++#endif ++ + if (debug_flag) { + /* dump the environment */ + fprintf(stderr, "Environment:\n"); +@@ -1234,9 +1246,9 @@ do_nologin(struct passwd *pw) + void + do_setusercontext(struct passwd *pw) + { +-#ifndef HAVE_CYGWIN ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) + if (getuid() == 0 || geteuid() == 0) +-#endif /* HAVE_CYGWIN */ ++#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ + { -+#ifndef __INTERIX - /* set and save the user's groups */ - if (user_groupslen == -1) { - if (initgroups(pw->pw_name, pw->pw_gid) < 0) -@@ -105,6 +106,7 @@ temporarily_use_uid(struct passwd *pw) - /* Set the effective uid to the given (unprivileged) uid. */ - if (setgroups(user_groupslen, user_groups) < 0) - fatal("setgroups: %.100s", strerror(errno)); -+#endif /* __INTERIX */ - #ifndef SAVED_IDS_WORK_WITH_SETEUID - /* Propagate the privileged gid to all of our gids. */ - if (setgid(getegid()) < 0) -@@ -152,8 +154,10 @@ restore_uid(void) - setgid(getgid()); - #endif /* SAVED_IDS_WORK_WITH_SETEUID */ + #ifdef HAVE_SETPCRED +@@ -1271,11 +1283,13 @@ do_setusercontext(struct passwd *pw) + perror("setgid"); + exit(1); + } ++# if !defined(HAVE_INTERIX) + /* Initialize the group list. */ + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { + perror("initgroups"); + exit(1); + } ++# endif /* !HAVE_INTERIX */ + endgrent(); + # ifdef USE_PAM + /* +@@ -1965,7 +1979,7 @@ session_pty_cleanup2(Session *s) + record_logout(s->pid, s->tty, s->pw->pw_name); -+#ifndef __INTERIX - if (setgroups(saved_egroupslen, saved_egroups) < 0) - fatal("setgroups: %.100s", strerror(errno)); -+#endif /* __INTERIX */ - temporarily_use_uid_effective = 0; - } + /* Release the pseudo-tty. */ +- if (getuid() == 0) ++ if (getuid() == ROOTUID) + pty_release(s->tty); + /* diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap index a8ceb435302..cbaac523636 100644 --- a/security/openssh/patches/patch-ap +++ b/security/openssh/patches/patch-ap @@ -1,18 +1,13 @@ -$NetBSD: patch-ap,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-ap,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- session.c.orig 2004-08-12 14:40:25.000000000 +0200 -+++ session.c -@@ -1271,11 +1271,13 @@ do_setusercontext(struct passwd *pw) - perror("setgid"); - exit(1); - } -+#ifndef __INTERIX - /* Initialize the group list. */ - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { - perror("initgroups"); - exit(1); - } -+#endif /* __INTERIX */ - endgrent(); - # ifdef USE_PAM - /* +--- ssh.c.orig 2004-08-15 03:23:34.000000000 -0400 ++++ ssh.c +@@ -593,7 +593,7 @@ again: + /* Open a connection to the remote host. */ + if (ssh_connect(host, &hostaddr, options.port, + options.address_family, options.connection_attempts, +-#ifdef HAVE_CYGWIN ++#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) + options.use_privileged_port, + #else + original_effective_uid == 0 && options.use_privileged_port, diff --git a/security/openssh/patches/patch-aq b/security/openssh/patches/patch-aq index 6624baba4d4..a92d3e287c9 100644 --- a/security/openssh/patches/patch-aq +++ b/security/openssh/patches/patch-aq @@ -1,13 +1,22 @@ -$NetBSD: patch-aq,v 1.4 2004/08/31 11:27:12 wiz Exp $ +$NetBSD: patch-aq,v 1.5 2005/03/07 23:29:50 tv Exp $ ---- packet.c.orig 2004-06-22 04:56:02.000000000 +0200 -+++ packet.c -@@ -1405,7 +1405,7 @@ packet_not_very_much_data_to_write(void) - static void - packet_set_tos(int interactive) +--- sshpty.c.orig 2004-06-21 22:56:02.000000000 -0400 ++++ sshpty.c +@@ -62,7 +62,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha + void + pty_release(const char *tty) { --#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) -+#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) && !defined(__INTERIX) - int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT; - - if (!packet_connection_is_on_socket() || +- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) ++ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0) + error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); + if (chmod(tty, (mode_t) 0666) < 0) + error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); +@@ -203,7 +203,7 @@ pty_setowner(struct passwd *pw, const ch + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { + if (chown(tty, pw->pw_uid, gid) < 0) { + if (errno == EROFS && +- (st.st_uid == pw->pw_uid || st.st_uid == 0)) ++ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID)) + debug("chown(%.100s, %u, %u) failed: %.100s", + tty, (u_int)pw->pw_uid, (u_int)gid, + strerror(errno)); diff --git a/security/openssh/patches/patch-ar b/security/openssh/patches/patch-ar index f5e3dfd5374..80862f82538 100644 --- a/security/openssh/patches/patch-ar +++ b/security/openssh/patches/patch-ar @@ -1,28 +1,50 @@ -$NetBSD: patch-ar,v 1.3 2004/11/04 12:46:33 markd Exp $ +$NetBSD: patch-ar,v 1.4 2005/03/07 23:29:50 tv Exp $ ---- includes.h.orig 2004-08-15 02:01:48.000000000 +1200 -+++ includes.h -@@ -176,11 +176,6 @@ static /**/const char *const rcsid[] = { - # include <libutil.h> /* Openpty on FreeBSD at least */ - #endif +--- uidswap.c.orig 2004-02-23 21:17:30.000000000 -0500 ++++ uidswap.c +@@ -56,12 +56,12 @@ temporarily_use_uid(struct passwd *pw) + debug("temporarily_use_uid: %u/%u (e=%u/%u)", + (u_int)pw->pw_uid, (u_int)pw->pw_gid, + (u_int)saved_euid, (u_int)saved_egid); +- if (saved_euid != 0) { ++ if (saved_euid != ROOTUID) { + privileged = 0; + return; + } + #else +- if (geteuid() != 0) { ++ if (geteuid() != ROOTUID) { + privileged = 0; + return; + } +@@ -85,9 +85,11 @@ temporarily_use_uid(struct passwd *pw) --#if defined(KRB5) && defined(USE_AFS) --# include <krb5.h> --# include <kafs.h> --#endif -- - /* - * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations - * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. -@@ -195,6 +190,11 @@ static /**/const char *const rcsid[] = { + /* set and save the user's groups */ + if (user_groupslen == -1) { ++#ifndef HAVE_INTERIX + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); ++#endif - #include "defines.h" + user_groupslen = getgroups(0, NULL); + if (user_groupslen < 0) +@@ -172,6 +174,10 @@ permanently_set_uid(struct passwd *pw) + debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, + (u_int)pw->pw_gid); -+#if defined(KRB5) && defined(USE_AFS) -+# include <krb5.h> -+# include <kafs.h> -+#endif -+ - #include "version.h" - #include "openbsd-compat/openbsd-compat.h" - #include "openbsd-compat/bsd-nextstep.h" ++#if defined(HAVE_INTERIX) ++ if (setuser(pw->pw_name, NULL, SU_COMPLETE)) ++ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); ++#else + #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) + fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); +@@ -218,6 +224,7 @@ permanently_set_uid(struct passwd *pw) + (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) + fatal("%s: was able to restore old [e]uid", __func__); + #endif ++#endif /* HAVE_INTERIX */ + + /* Verify UID drop was successful */ + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { diff --git a/security/openssh/patches/patch-as b/security/openssh/patches/patch-as new file mode 100644 index 00000000000..f4e324659ad --- /dev/null +++ b/security/openssh/patches/patch-as @@ -0,0 +1,20 @@ +$NetBSD: patch-as,v 1.3 2005/03/07 23:29:50 tv Exp $ + +--- log.h.orig 2004-06-21 22:57:44.000000000 -0400 ++++ log.h +@@ -53,7 +53,7 @@ void log_init(char *, LogLevel, Sysl + SyslogFacility log_facility_number(char *); + LogLevel log_level_number(char *); + +-void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); ++void fatal(const char *, ...) __noreturn __attribute__((format(printf, 1, 2))); + void error(const char *, ...) __attribute__((format(printf, 1, 2))); + void logit(const char *, ...) __attribute__((format(printf, 1, 2))); + void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); +@@ -62,5 +62,5 @@ void debug2(const char *, ...) __att + void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); + + void do_log(LogLevel, const char *, va_list); +-void cleanup_exit(int) __dead; ++void cleanup_exit(int) __noreturn; + #endif diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at new file mode 100644 index 00000000000..fc46d739006 --- /dev/null +++ b/security/openssh/patches/patch-at @@ -0,0 +1,16 @@ +$NetBSD: patch-at,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- servconf.c.orig 2004-08-13 07:30:24.000000000 -0400 ++++ servconf.c +@@ -233,7 +233,11 @@ fill_default_server_options(ServerOption + + /* Turn privilege separation on by default */ + if (use_privsep == -1) ++#ifdef HAVE_INTERIX ++ use_privsep = 0; ++#else + use_privsep = 1; ++#endif + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { diff --git a/security/openssh/patches/patch-au b/security/openssh/patches/patch-au new file mode 100644 index 00000000000..1922e4baf54 --- /dev/null +++ b/security/openssh/patches/patch-au @@ -0,0 +1,22 @@ +$NetBSD: patch-au,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- openbsd-compat/bsd-openpty.c.orig 2004-02-17 00:49:55.000000000 -0500 ++++ openbsd-compat/bsd-openpty.c +@@ -102,7 +102,7 @@ openpty(int *amaster, int *aslave, char + return (-1); + } + +-#ifndef HAVE_CYGWIN ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) + /* + * Try to push the appropriate streams modules, as described + * in Solaris pts(7). +@@ -112,7 +112,7 @@ openpty(int *amaster, int *aslave, char + # ifndef __hpux + ioctl(*aslave, I_PUSH, "ttcompat"); + # endif /* __hpux */ +-#endif /* HAVE_CYGWIN */ ++#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ + + return (0); + diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av new file mode 100644 index 00000000000..25a8a4a15a8 --- /dev/null +++ b/security/openssh/patches/patch-av @@ -0,0 +1,56 @@ +$NetBSD: patch-av,v 1.1 2005/03/07 23:29:50 tv Exp $ + +--- sshd.c.orig 2004-08-12 09:08:15.000000000 -0400 ++++ sshd.c +@@ -579,10 +579,15 @@ privsep_preauth_child(void) + /* XXX not ready, too heavy after chroot */ + do_setusercontext(pw); + #else ++#ifdef HAVE_INTERIX ++ if (setuser(pw->pw_name, NULL, SU_COMPLETE)) ++ fatal("setuser: %.100s", strerror(errno)); ++#else + gidset[0] = pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(pw); ++#endif /* HAVE_INTERIX */ + #endif + } + +@@ -622,7 +627,7 @@ privsep_preauth(Authctxt *authctxt) + close(pmonitor->m_sendfd); + + /* Demote the child */ +- if (getuid() == 0 || geteuid() == 0) ++ if (getuid() == ROOTUID || geteuid() == ROOTUID) + privsep_preauth_child(); + setproctitle("%s", "[net]"); + } +@@ -635,7 +640,7 @@ privsep_postauth(Authctxt *authctxt) + #ifdef DISABLE_FD_PASSING + if (1) { + #else +- if (authctxt->pw->pw_uid == 0 || options.use_login) { ++ if (authctxt->pw->pw_uid == ROOTUID || options.use_login) { + #endif + /* File descriptor passing is broken or root login */ + monitor_apply_keystate(pmonitor); +@@ -911,7 +916,7 @@ main(int ac, char **av) + av = saved_argv; + #endif + +- if (geteuid() == 0 && setgroups(0, NULL) == -1) ++ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + + /* Initialize configuration options to their default values. */ +@@ -1166,7 +1171,7 @@ main(int ac, char **av) + (st.st_uid != getuid () || + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) + #else +- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) ++ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) + #endif + fatal("%s must be owned by root and not group or " + "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); |