- fix logging after chroot

- enable non root users to use chroot %h in internal-sftp
2009-04-03 12:37:30 +00:00 · 2009-04-03 12:37:30 +00:00 · 061e214116
commit 061e214116
parent 0f07b4ad95
3 changed files with 99 additions and 6 deletions
--- a/openssh-5.1p1-log-in-chroot.patch
+++ b/openssh-5.1p1-log-in-chroot.patch
@ -15,15 +15,32 @@ diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c
 diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
 --- openssh-5.1p1/log.c.log-chroot	2008-06-10 15:01:51.000000000 +0200
 +++ openssh-5.1p1/log.c	2008-07-23 15:18:52.000000000 +0200
-@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
+@@ -45,6 +45,7 @@
+ #include <syslog.h>
+ #include <unistd.h>
+ #include <errno.h>
+#include <fcntl.h>
+ #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+ # include <vis.h>
+ #endif
+@@ -56,6 +57,7 @@
 static int log_on_stderr = 1;
 static int log_facility = LOG_AUTH;
 static char *argv0;
-+static int log_fd_keep;
+int log_fd_keep = 0;
 
 extern char *__progname;
 
-@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, 
+@@ -310,6 +312,8 @@
+ 		exit(1);
+ 	}
+ 
+	if (log_fd_keep != 0)
+		return;
+ 	/*
+ 	 * If an external library (eg libwrap) attempts to use syslog
+ 	 * immediately after reexec, syslog may be pointing to the wrong
+@@ -392,10 +396,33 @@
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
 		closelog_r(&sdata);
 #else
@ -42,16 +59,58 @@ diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
 +void
 +open_log(void)
 +{
+	int temp1, temp2;
+
+	temp1 = open("/dev/null", O_RDONLY);
 +	openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
-+	log_fd_keep = 1;
+	temp2 = open("/dev/null", O_RDONLY);
+	if (temp1 + 2 ==  temp2)
+		log_fd_keep = temp1 + 1;
+	else 
+		log_fd_keep = -1;
+
+	if (temp1 != -1)
+		close(temp1);
+	if (temp2 != -1)
+		close(temp2);
 +}
 diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h
 --- openssh-5.1p1/log.h.log-chroot	2008-06-13 02:22:54.000000000 +0200
 +++ openssh-5.1p1/log.h	2008-07-23 15:20:11.000000000 +0200
-@@ -66,4 +66,6 @@ void     debug3(const char *, ...) __att
+@@ -46,6 +46,9 @@
+ 	SYSLOG_LEVEL_NOT_SET = -1
+ }       LogLevel;
+ 
+
+extern int log_fd_keep;
+
+ void     log_init(char *, LogLevel, SyslogFacility, int);
+ 
+ SyslogFacility	log_facility_number(char *);
+@@ -66,4 +69,6 @@
 
 void	 do_log(LogLevel, const char *, va_list);
 void	 cleanup_exit(int) __attribute__((noreturn));
 +
 +void     open_log(void);
 #endif
+--- openssh-5.2p1/session.c.	2009-03-20 18:32:01.004151364 +0100
+++ openssh-5.2p1/session.c	2009-03-20 19:00:28.328742384 +0100
+@@ -1445,6 +1456,7 @@
+ 	if (chdir(path) == -1)
+ 		fatal("Unable to chdir to chroot path \"%s\": "
+ 		    "%s", path, strerror(errno));
+	open_log ();
+ 	if (chroot(path) == -1)
+ 		fatal("chroot(\"%s\"): %s", path, strerror(errno));
+ 	if (chdir("/") == -1)
+@@ -1632,7 +1644,8 @@
+ 	 * descriptors open.
+ 	 */
+ 	for (i = 3; i < 64; i++)
+-		close(i);
+		if (i != log_fd_keep)
+			close(i);
+ }
+ 
+ /*
--- a/openssh-5.2p1-homechroot.patch
+++ b/openssh-5.2p1-homechroot.patch
@ -0,0 +1,28 @@
+--- openssh-5.2p1/session.c	2009-03-20 18:08:11.263662384 +0100
+++ openssh-5.2p1/session.c	2009-03-20 18:26:29.925498409 +0100
+@@ -1408,6 +1408,7 @@
+ 	const char *cp;
+ 	char component[MAXPATHLEN];
+ 	struct stat st;
+	int last;
+ 
+ 	if (*path != '/')
+ 		fatal("chroot path does not begin at root");
+@@ -1419,7 +1420,7 @@
+ 	 * root-owned directory with strict permissions.
+ 	 */
+ 	for (cp = path; cp != NULL;) {
+-		if ((cp = strchr(cp, '/')) == NULL)
+		if (((last = ((cp = strchr(cp, '/')) == NULL))))
+ 			strlcpy(component, path, sizeof(component));
+ 		else {
+ 			cp++;
+@@ -1432,7 +1433,7 @@
+ 		if (stat(component, &st) != 0)
+ 			fatal("%s: stat(\"%s\"): %s", __func__,
+ 			    component, strerror(errno));
+-		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
+		if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
+ 			fatal("bad ownership or modes for chroot "
+ 			    "directory %s\"%s\"", 
+ 			    cp == NULL ? "" : "component ", component);
--- a/openssh.spec
+++ b/openssh.spec
@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.2p1
-Release: 2%{?dist}%{?rescue_rel}
+Release: 3%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -97,6 +97,7 @@ Patch54: openssh-5.1p1-gssapi-role.patch
 Patch55: openssh-5.1p1-cloexec.patch
 Patch62: openssh-5.1p1-scp-manpage.patch
 Patch65: openssh-5.2p1-fips.patch
+Patch66: openssh-5.2p1-homechroot.patch

 License: BSD
 Group: Applications/Internet
@ -228,6 +229,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch55 -p1 -b .cloexec
 %patch62 -p1 -b .manpage
 %patch65 -p1 -b .fips
+%patch66 -p1 -b .homechroot

 autoreconf

@ -472,6 +474,10 @@ fi
 %endif

 %changelog
+* Fri Apr  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-3
+- fix logging after chroot
+- enable non root users to use chroot %h in internal-sftp
+
 * Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2
 - add AES-CTR ciphers to the FIPS mode proposal