From 1961bc12e68b52df1e0f91389a986258ecc7b4ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Mon, 19 May 2008 16:53:29 +0000 Subject: [PATCH] - add LANGUAGE to accepted/sent environment variables (#443231) - use pam_selinux to obtain the user context instead of doing it itself - unbreak server keep alive settings (patch from upstream) - small addition to scp manpage --- openssh-3.9p1-scp-manpage.patch | 17 ++++ openssh-4.7p1-redhat.patch | 4 +- openssh-5.0p1-pam_selinux.patch | 156 +++++++++++++++++++++++++++++++ openssh-5.0p1-unbreakalive.patch | 20 ++++ openssh.spec | 16 +++- sshd.pam | 6 +- 6 files changed, 214 insertions(+), 5 deletions(-) create mode 100644 openssh-3.9p1-scp-manpage.patch create mode 100644 openssh-5.0p1-pam_selinux.patch create mode 100644 openssh-5.0p1-unbreakalive.patch diff --git a/openssh-3.9p1-scp-manpage.patch b/openssh-3.9p1-scp-manpage.patch new file mode 100644 index 0000000..325f9a2 --- /dev/null +++ b/openssh-3.9p1-scp-manpage.patch @@ -0,0 +1,17 @@ +--- scp.orig 2007-12-22 20:37:27.000000000 +0100 ++++ scp.1 2007-12-22 20:36:42.000000000 +0100 +@@ -60,6 +60,14 @@ + that the file is to be copied to/from that host. + Copies between two remote hosts are permitted. + .Pp ++When copying a source file to a target file which already exists, ++.Nm ++will replace the contents of the target file (keeping the inode). ++.Pp ++If the target file does not yet exist, an empty file with the target ++file name is created, then filled with the source file contents. ++No attempt is made at "near-atomic" transfer using temporary files. ++.Pp + The options are as follows: + .Bl -tag -width Ds + .It Fl 1 diff --git a/openssh-4.7p1-redhat.patch b/openssh-4.7p1-redhat.patch index eb4b3dd..1618a71 100644 --- a/openssh-4.7p1-redhat.patch +++ b/openssh-4.7p1-redhat.patch @@ -40,7 +40,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no @@ -64,7 +64,7 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config +# Send locale-related environment variables + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 --- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200 +++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200 diff --git a/openssh-5.0p1-pam_selinux.patch b/openssh-5.0p1-pam_selinux.patch new file mode 100644 index 0000000..acd1611 --- /dev/null +++ b/openssh-5.0p1-pam_selinux.patch @@ -0,0 +1,156 @@ +diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h +--- openssh-5.0p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 ++++ openssh-5.0p1/auth-pam.h 2008-04-30 14:25:28.000000000 +0200 +@@ -38,7 +38,7 @@ void do_pam_session(void); + void do_pam_set_tty(const char *); + void do_pam_setcred(int ); + void do_pam_chauthtok(void); +-int do_pam_putenv(char *, char *); ++int do_pam_putenv(char *, const char *); + char ** fetch_pam_environment(void); + char ** fetch_pam_child_environment(void); + void free_pam_environment(char **); +diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c +--- openssh-5.0p1/auth-pam.c.pam_selinux 2008-03-11 12:58:25.000000000 +0100 ++++ openssh-5.0p1/auth-pam.c 2008-04-30 14:25:21.000000000 +0200 +@@ -1069,7 +1069,7 @@ is_pam_session_open(void) + * during the ssh authentication process. + */ + int +-do_pam_putenv(char *name, char *value) ++do_pam_putenv(char *name, const char *value) + { + int ret = 1; + #ifdef HAVE_PAM_PUTENV +diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c +--- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux 2008-04-07 22:01:37.000000000 +0200 ++++ openssh-5.0p1/openbsd-compat/port-linux.c 2008-04-30 14:26:17.000000000 +0200 +@@ -34,6 +34,7 @@ + #include "hostfile.h" + #include "auth.h" + #include "xmalloc.h" ++#include "servconf.h" + + #include + #include +@@ -47,6 +48,7 @@ + #include + #endif + ++extern ServerOptions options; + extern Authctxt *the_authctxt; + extern int inetd_flag; + extern int rexeced_flag; +@@ -208,29 +210,38 @@ get_user_context(const char *sename, con + return -1; + } + ++static void ++ssh_selinux_get_role_level(char **role, const char **level) ++{ ++ *role = NULL; ++ *level = NULL; ++ if (the_authctxt) { ++ if (the_authctxt->role != NULL) { ++ char *slash; ++ *role = xstrdup(the_authctxt->role); ++ if ((slash = strchr(*role, '/')) != NULL) { ++ *slash = '\0'; ++ *level = slash + 1; ++ } ++ } ++ } ++} ++ + /* Return the default security context for the given username */ + static int + ssh_selinux_getctxbyname(char *pwname, + security_context_t *default_sc, security_context_t *user_sc) + { + char *sename, *lvl; +- const char *reqlvl = NULL; +- char *role = NULL; ++ const char *reqlvl; ++ char *role; + int r = -1; + context_t con = NULL; + + *default_sc = NULL; + *user_sc = NULL; +- if (the_authctxt) { +- if (the_authctxt->role != NULL) { +- char *slash; +- role = xstrdup(the_authctxt->role); +- if ((slash = strchr(role, '/')) != NULL) { +- *slash = '\0'; +- reqlvl = slash + 1; +- } +- } +- } ++ ++ ssh_selinux_get_role_level(&role, &reqlvl); + + #ifdef HAVE_GETSEUSERBYNAME + if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { +@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname, + return (r); + } + ++/* Setup environment variables for pam_selinux */ ++static int ++ssh_selinux_setup_pam_variables(void) ++{ ++ const char *reqlvl; ++ char *role; ++ char *use_current; ++ int rv; ++ ++ debug3("%s: setting execution context", __func__); ++ ++ ssh_selinux_get_role_level(&role, &reqlvl); ++ ++ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); ++ ++ if (inetd_flag && !rexeced_flag) { ++ use_current = "1"; ++ } else { ++ use_current = ""; ++ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); ++ } ++ ++ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); ++ ++ if (role != NULL) ++ xfree(role); ++ ++ return rv; ++} ++ + /* Set the execution context to the default for the specified user */ + void + ssh_selinux_setup_exec_context(char *pwname) +@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn + if (!ssh_selinux_enabled()) + return; + ++ if (options.use_pam) { ++ /* do not compute context, just setup environment for pam_selinux */ ++ if (ssh_selinux_setup_pam_variables()) { ++ switch (security_getenforce()) { ++ case -1: ++ fatal("%s: security_getenforce() failed", __func__); ++ case 0: ++ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", ++ __func__); ++ break; ++ default: ++ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", ++ __func__); ++ } ++ } ++ return; ++ } ++ + debug3("%s: setting execution context", __func__); + + r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); diff --git a/openssh-5.0p1-unbreakalive.patch b/openssh-5.0p1-unbreakalive.patch new file mode 100644 index 0000000..b1dafa5 --- /dev/null +++ b/openssh-5.0p1-unbreakalive.patch @@ -0,0 +1,20 @@ +Index: packet.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/packet.c,v +retrieving revision 1.152 +diff -u -p packet.c +--- packet.c 8 May 2008 06:59:01 -0000 ++++ packet.c 19 May 2008 04:00:34 -0000 +@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_ + for (;;) { + if (compat20) { + type = packet_read_poll2(seqnr_p); +- keep_alive_timeouts = 0; +- if (type) ++ if (type) { ++ keep_alive_timeouts = 0; + DBG(debug("received packet type %d", type)); ++ } + switch (type) { + case SSH2_MSG_IGNORE: + debug3("Received SSH2_MSG_IGNORE"); diff --git a/openssh.spec b/openssh.spec index 0051c84..5968e88 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.0p1 -Release: 1%{?dist}%{?rescue_rel} +Release: 2%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -96,6 +96,9 @@ Patch54: openssh-4.7p1-gssapi-role.patch Patch55: openssh-4.7p1-cloexec.patch Patch58: openssh-4.5p1-controlcleanup.patch Patch59: openssh-4.7p1-master-race.patch +Patch60: openssh-5.0p1-pam_selinux.patch +Patch61: openssh-5.0p1-unbreakalive.patch +Patch62: openssh-3.9p1-scp-manpage.patch License: BSD Group: Applications/Internet @@ -156,7 +159,7 @@ Group: System Environment/Daemons Requires: openssh = %{version}-%{release} Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd -Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so +Requires: pam >= 1.0.1-3 %package askpass Summary: A passphrase dialog for OpenSSH and X @@ -228,6 +231,9 @@ an X11 passphrase dialog for OpenSSH. %patch55 -p1 -b .cloexec %patch58 -p1 -b .controlcleanup %patch59 -p1 -b .master-race +%patch60 -p1 -b .pam_selinux +%patch61 -p0 -b .unbreakalive +%patch62 -p0 -b .manpage autoreconf @@ -478,6 +484,12 @@ fi %endif %changelog +* Mon May 19 2008 Tomas Mraz - 5.0p1-2 +- add LANGUAGE to accepted/sent environment variables (#443231) +- use pam_selinux to obtain the user context instead of doing it itself +- unbreak server keep alive settings (patch from upstream) +- small addition to scp manpage + * Mon Apr 7 2008 Tomas Mraz - 5.0p1-1 - upgrade to new upstream (#441066) - prevent initscript from killing itself on halt with upstart (#438449) diff --git a/sshd.pam b/sshd.pam index e40d116..54c526c 100644 --- a/sshd.pam +++ b/sshd.pam @@ -3,6 +3,10 @@ auth include system-auth account required pam_nologin.so account include system-auth password include system-auth -session optional pam_keyinit.so force revoke +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close session include system-auth session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke