forked from rpms/openssh
the private keys may be 640 root:ssh_keys ssh_keysign is sgid
This commit is contained in:
parent
c7ffe02211
commit
1ddd0ee5d7
25
openssh-5.8p1-keyperm.patch
Normal file
25
openssh-5.8p1-keyperm.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
|
||||
--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
|
||||
@@ -57,6 +57,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <grp.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "cipher.h"
|
||||
@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
||||
+ if (st.st_mode & 040) {
|
||||
+ struct group *gr;
|
||||
+
|
||||
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
|
||||
+ st.st_mode &= ~040;
|
||||
+ }
|
||||
+
|
||||
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
|
19
openssh.spec
19
openssh.spec
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 26
|
||||
%define openssh_rel 27
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
@ -109,9 +109,9 @@ Patch2: openssh-5.8p1-audit2.patch
|
||||
Patch3: openssh-5.8p1-audit3.patch
|
||||
Patch4: openssh-5.8p1-audit4.patch
|
||||
Patch5: openssh-5.8p1-audit5.patch
|
||||
#?https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||
Patch6: openssh-5.8p1-packet.patch
|
||||
#?https://bugzilla.mindrot.org/show_bug.cgi?id=1890
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890
|
||||
Patch7: openssh-5.8p1-entropy.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||
Patch9: openssh-5.8p1-vendor.patch
|
||||
@ -145,9 +145,11 @@ Patch32: openssh-5.8p1-randclean.patch
|
||||
Patch34: openssh-5.8p1-kuserok.patch
|
||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
||||
Patch35: openssh-5.8p1-glob.patch
|
||||
#?https://bugzilla.mindrot.org/show_bug.cgi?id=1891
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1891
|
||||
Patch36: openssh-5.8p1-pwchange.patch
|
||||
#?
|
||||
Patch37: openssh-5.8p1-keyperm.patch
|
||||
#?
|
||||
Patch50: openssh-5.8p1-fips.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
|
||||
Patch51: openssh-5.5p1-x11.patch
|
||||
@ -355,6 +357,7 @@ popd
|
||||
%patch34 -p1 -b .kuserok
|
||||
%patch35 -p1 -b .glob
|
||||
%patch36 -p1 -b .pwchange
|
||||
%patch37 -p1 -b .keyperm
|
||||
|
||||
%patch50 -p1 -b .fips
|
||||
%patch51 -p1 -b .x11
|
||||
@ -543,6 +546,9 @@ popd
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
||||
|
||||
%pre server
|
||||
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
||||
%if %{nologin}
|
||||
@ -577,7 +583,7 @@ fi
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||
%attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign
|
||||
%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
%endif
|
||||
%if %{scard}
|
||||
@ -661,6 +667,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Apr 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-27 + 0.9.2-30
|
||||
- the private keys may be 640 root:ssh_keys ssh_keysign is sgid
|
||||
|
||||
* Wed Apr 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-26 + 0.9.2-30
|
||||
- improving sshd -> passwd transation
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user