forked from rpms/openssh
coverity upgrade
experimental selinux sandbox
This commit is contained in:
parent
c2ea13d263
commit
c870e661c7
@ -1,18 +1,23 @@
|
|||||||
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||||
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
||||||
+++ openssh-5.9p1/auth-pam.c 2011-09-09 15:13:32.820565436 +0200
|
+++ openssh-5.9p1/auth-pam.c 2011-09-13 08:41:24.635521346 +0200
|
||||||
@@ -216,7 +216,7 @@ pthread_join(sp_pthread_t thread, void *
|
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||||
if (sshpam_thread_status != -1)
|
if (sshpam_thread_status != -1)
|
||||||
return (sshpam_thread_status);
|
return (sshpam_thread_status);
|
||||||
signal(SIGCHLD, sshpam_oldsig);
|
signal(SIGCHLD, sshpam_oldsig);
|
||||||
- waitpid(thread, &status, 0);
|
- waitpid(thread, &status, 0);
|
||||||
+ (void) waitpid(thread, &status, 0);
|
+ while (waitpid(thread, &status, 0) < 0) {
|
||||||
|
+ if (errno == EINTR)
|
||||||
|
+ continue;
|
||||||
|
+ fatal("%s: waitpid: %s", __func__,
|
||||||
|
+ strerror(errno));
|
||||||
|
+ }
|
||||||
return (status);
|
return (status);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||||
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
|
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
|
||||||
+++ openssh-5.9p1/channels.c 2011-09-09 15:13:32.911439569 +0200
|
+++ openssh-5.9p1/channels.c 2011-09-13 08:26:11.771584519 +0200
|
||||||
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
|
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
|
||||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||||
channel_max_fd = MAX(channel_max_fd, efd);
|
channel_max_fd = MAX(channel_max_fd, efd);
|
||||||
@ -45,7 +50,7 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
|||||||
}
|
}
|
||||||
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||||
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
|
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
|
||||||
+++ openssh-5.9p1/clientloop.c 2011-09-09 15:13:33.017564323 +0200
|
+++ openssh-5.9p1/clientloop.c 2011-09-13 08:26:11.889458598 +0200
|
||||||
@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
|
@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
|
||||||
char *rtype;
|
char *rtype;
|
||||||
int want_reply;
|
int want_reply;
|
||||||
@ -56,7 +61,7 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
|||||||
want_reply = packet_get_char();
|
want_reply = packet_get_char();
|
||||||
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||||
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
|
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
|
||||||
+++ openssh-5.9p1/key.c 2011-09-09 15:13:33.145442605 +0200
|
+++ openssh-5.9p1/key.c 2011-09-13 08:26:12.000459857 +0200
|
||||||
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
|
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
|
||||||
success = 1;
|
success = 1;
|
||||||
/*XXXX*/
|
/*XXXX*/
|
||||||
@ -69,8 +74,8 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
|||||||
while (*cp == ' ' || *cp == '\t')
|
while (*cp == ' ' || *cp == '\t')
|
||||||
cp++;
|
cp++;
|
||||||
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||||
--- openssh-5.9p1/monitor.c.coverity 2011-09-09 17:13:15.937439833 +0200
|
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
|
||||||
+++ openssh-5.9p1/monitor.c 2011-09-09 17:15:18.625466696 +0200
|
+++ openssh-5.9p1/monitor.c 2011-09-13 08:26:12.132583409 +0200
|
||||||
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -93,8 +98,8 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
|||||||
buffer_put_int(m, allowed);
|
buffer_put_int(m, allowed);
|
||||||
buffer_put_int(m, forced_command != NULL);
|
buffer_put_int(m, forced_command != NULL);
|
||||||
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
|
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
|
||||||
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2011-09-09 17:29:14.709442881 +0200
|
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-09 17:32:48.770563974 +0200
|
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-13 08:26:12.298464549 +0200
|
||||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||||
struct sockaddr_in6 *in6;
|
struct sockaddr_in6 *in6;
|
||||||
u_int16_t *portp;
|
u_int16_t *portp;
|
||||||
@ -106,7 +111,7 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
|
|||||||
if (sa == NULL) {
|
if (sa == NULL) {
|
||||||
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||||
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
|
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
|
||||||
+++ openssh-5.9p1/packet.c 2011-09-09 15:13:33.263447887 +0200
|
+++ openssh-5.9p1/packet.c 2011-09-13 08:26:12.405461249 +0200
|
||||||
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
|
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
|
||||||
case DEATTACK_DETECTED:
|
case DEATTACK_DETECTED:
|
||||||
packet_disconnect("crc32 compensation attack: "
|
packet_disconnect("crc32 compensation attack: "
|
||||||
@ -126,7 +131,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
|||||||
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
|
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
|
||||||
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||||
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
||||||
+++ openssh-5.9p1/progressmeter.c 2011-09-09 15:13:33.382566039 +0200
|
+++ openssh-5.9p1/progressmeter.c 2011-09-13 08:26:12.511520013 +0200
|
||||||
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
||||||
|
|
||||||
static time_t start; /* start progress */
|
static time_t start; /* start progress */
|
||||||
@ -147,7 +152,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
|||||||
file = f;
|
file = f;
|
||||||
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||||
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||||
+++ openssh-5.9p1/progressmeter.h 2011-09-09 15:13:33.501438992 +0200
|
+++ openssh-5.9p1/progressmeter.h 2011-09-13 08:26:12.630521541 +0200
|
||||||
@@ -23,5 +23,5 @@
|
@@ -23,5 +23,5 @@
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
@ -157,7 +162,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
|||||||
void stop_progress_meter(void);
|
void stop_progress_meter(void);
|
||||||
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||||
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
|
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
|
||||||
+++ openssh-5.9p1/scp.c 2011-09-09 15:13:33.607564009 +0200
|
+++ openssh-5.9p1/scp.c 2011-09-13 08:26:12.748520967 +0200
|
||||||
@@ -155,7 +155,7 @@ killchild(int signo)
|
@@ -155,7 +155,7 @@ killchild(int signo)
|
||||||
{
|
{
|
||||||
if (do_cmd_pid > 1) {
|
if (do_cmd_pid > 1) {
|
||||||
@ -168,8 +173,8 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
|||||||
|
|
||||||
if (signo)
|
if (signo)
|
||||||
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||||
--- openssh-5.9p1/servconf.c.coverity 2011-09-09 17:24:09.333561142 +0200
|
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
|
||||||
+++ openssh-5.9p1/servconf.c 2011-09-09 17:26:41.488502345 +0200
|
+++ openssh-5.9p1/servconf.c 2011-09-13 08:26:12.854521290 +0200
|
||||||
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
|
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
|
||||||
fatal("%s line %d: Missing subsystem name.",
|
fatal("%s line %d: Missing subsystem name.",
|
||||||
filename, linenum);
|
filename, linenum);
|
||||||
@ -181,7 +186,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
|||||||
for (i = 0; i < options->num_subsystems; i++)
|
for (i = 0; i < options->num_subsystems; i++)
|
||||||
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||||
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
|
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
|
||||||
+++ openssh-5.9p1/serverloop.c 2011-09-09 15:13:33.723564433 +0200
|
+++ openssh-5.9p1/serverloop.c 2011-09-13 08:26:12.968645756 +0200
|
||||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||||
static void
|
static void
|
||||||
notify_parent(void)
|
notify_parent(void)
|
||||||
@ -293,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
|||||||
tun = forced_tun_device;
|
tun = forced_tun_device;
|
||||||
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||||
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||||
+++ openssh-5.9p1/sftp-client.c 2011-09-09 15:13:33.845564522 +0200
|
+++ openssh-5.9p1/sftp-client.c 2011-09-13 08:26:13.083520760 +0200
|
||||||
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -518,7 +523,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
|||||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||||
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||||
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||||
+++ openssh-5.9p1/sftp-client.h 2011-09-09 15:13:33.954567073 +0200
|
+++ openssh-5.9p1/sftp-client.h 2011-09-13 08:26:13.181525164 +0200
|
||||||
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
||||||
u_int sftp_proto_version(struct sftp_conn *);
|
u_int sftp_proto_version(struct sftp_conn *);
|
||||||
|
|
||||||
@ -618,7 +623,7 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
|||||||
#endif
|
#endif
|
||||||
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||||
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||||
+++ openssh-5.9p1/sftp.c 2011-09-09 15:13:34.086441893 +0200
|
+++ openssh-5.9p1/sftp.c 2011-09-13 08:26:13.311521187 +0200
|
||||||
@@ -206,7 +206,7 @@ killchild(int signo)
|
@@ -206,7 +206,7 @@ killchild(int signo)
|
||||||
{
|
{
|
||||||
if (sshpid > 1) {
|
if (sshpid > 1) {
|
||||||
@ -733,7 +738,7 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
|||||||
char s_used[FMT_SCALED_STRSIZE];
|
char s_used[FMT_SCALED_STRSIZE];
|
||||||
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||||
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
||||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-09 15:13:34.203567987 +0200
|
+++ openssh-5.9p1/ssh-agent.c 2011-09-13 08:26:13.416521025 +0200
|
||||||
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
|
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
@ -747,7 +752,7 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
|||||||
/* Disable ptrace on Linux without sgid bit */
|
/* Disable ptrace on Linux without sgid bit */
|
||||||
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||||
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
|
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
|
||||||
+++ openssh-5.9p1/sshd.c 2011-09-09 15:13:34.317564195 +0200
|
+++ openssh-5.9p1/sshd.c 2011-09-13 08:26:13.565519531 +0200
|
||||||
@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
|
@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
|
||||||
if (num_listen_socks < 0)
|
if (num_listen_socks < 0)
|
||||||
break;
|
break;
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.9p0/HOWTO.ldap-keys.ldap openssh-5.9p0/HOWTO.ldap-keys
|
diff -up openssh-5.9p1/HOWTO.ldap-keys.ldap openssh-5.9p1/HOWTO.ldap-keys
|
||||||
--- openssh-5.9p0/HOWTO.ldap-keys.ldap 2011-08-30 15:57:12.449212853 +0200
|
--- openssh-5.9p1/HOWTO.ldap-keys.ldap 2011-09-13 11:17:05.178644691 +0200
|
||||||
+++ openssh-5.9p0/HOWTO.ldap-keys 2011-08-30 15:57:12.453101662 +0200
|
+++ openssh-5.9p1/HOWTO.ldap-keys 2011-09-13 11:17:05.181522429 +0200
|
||||||
@@ -0,0 +1,108 @@
|
@@ -0,0 +1,108 @@
|
||||||
+
|
+
|
||||||
+HOW TO START
|
+HOW TO START
|
||||||
@ -110,9 +110,9 @@ diff -up openssh-5.9p0/HOWTO.ldap-keys.ldap openssh-5.9p0/HOWTO.ldap-keys
|
|||||||
+5) Author
|
+5) Author
|
||||||
+ Jan F. Chadima <jchadima@redhat.com>
|
+ Jan F. Chadima <jchadima@redhat.com>
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
diff -up openssh-5.9p1/Makefile.in.ldap openssh-5.9p1/Makefile.in
|
||||||
--- openssh-5.9p0/Makefile.in.ldap 2011-08-30 15:57:01.693024742 +0200
|
--- openssh-5.9p1/Makefile.in.ldap 2011-09-13 11:17:04.064644353 +0200
|
||||||
+++ openssh-5.9p0/Makefile.in 2011-08-30 16:00:02.478212295 +0200
|
+++ openssh-5.9p1/Makefile.in 2011-09-13 11:20:16.996522219 +0200
|
||||||
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
||||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
@ -135,7 +135,7 @@ diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
|||||||
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
||||||
@@ -92,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
@@ -92,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||||
roaming_common.o roaming_serv.o \
|
roaming_common.o roaming_serv.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
|
||||||
|
|
||||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||||
@ -207,9 +207,9 @@ diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
|||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
|
||||||
tests interop-tests: $(TARGETS)
|
tests interop-tests: $(TARGETS)
|
||||||
diff -up openssh-5.9p0/configure.ac.ldap openssh-5.9p0/configure.ac
|
diff -up openssh-5.9p1/configure.ac.ldap openssh-5.9p1/configure.ac
|
||||||
--- openssh-5.9p0/configure.ac.ldap 2011-08-30 15:57:11.297032991 +0200
|
--- openssh-5.9p1/configure.ac.ldap 2011-09-13 11:17:04.488583772 +0200
|
||||||
+++ openssh-5.9p0/configure.ac 2011-08-30 15:57:12.664024959 +0200
|
+++ openssh-5.9p1/configure.ac 2011-09-13 11:17:05.418529375 +0200
|
||||||
@@ -1433,6 +1433,106 @@ AC_ARG_WITH(authorized-keys-command,
|
@@ -1433,6 +1433,106 @@ AC_ARG_WITH(authorized-keys-command,
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
@ -317,9 +317,9 @@ diff -up openssh-5.9p0/configure.ac.ldap openssh-5.9p0/configure.ac
|
|||||||
dnl Checks for library functions. Please keep in alphabetical order
|
dnl Checks for library functions. Please keep in alphabetical order
|
||||||
AC_CHECK_FUNCS([ \
|
AC_CHECK_FUNCS([ \
|
||||||
arc4random \
|
arc4random \
|
||||||
diff -up openssh-5.9p0/ldap-helper.c.ldap openssh-5.9p0/ldap-helper.c
|
diff -up openssh-5.9p1/ldap-helper.c.ldap openssh-5.9p1/ldap-helper.c
|
||||||
--- openssh-5.9p0/ldap-helper.c.ldap 2011-08-30 15:57:12.754025033 +0200
|
--- openssh-5.9p1/ldap-helper.c.ldap 2011-09-13 11:17:05.527520185 +0200
|
||||||
+++ openssh-5.9p0/ldap-helper.c 2011-08-30 15:57:12.759025510 +0200
|
+++ openssh-5.9p1/ldap-helper.c 2011-09-13 11:17:05.531521117 +0200
|
||||||
@@ -0,0 +1,155 @@
|
@@ -0,0 +1,155 @@
|
||||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -476,9 +476,9 @@ diff -up openssh-5.9p0/ldap-helper.c.ldap openssh-5.9p0/ldap-helper.c
|
|||||||
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
||||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldap-helper.h.ldap openssh-5.9p0/ldap-helper.h
|
diff -up openssh-5.9p1/ldap-helper.h.ldap openssh-5.9p1/ldap-helper.h
|
||||||
--- openssh-5.9p0/ldap-helper.h.ldap 2011-08-30 15:57:12.835024792 +0200
|
--- openssh-5.9p1/ldap-helper.h.ldap 2011-09-13 11:17:05.619520027 +0200
|
||||||
+++ openssh-5.9p0/ldap-helper.h 2011-08-30 15:57:12.839024637 +0200
|
+++ openssh-5.9p1/ldap-helper.h 2011-09-13 11:17:05.621522622 +0200
|
||||||
@@ -0,0 +1,32 @@
|
@@ -0,0 +1,32 @@
|
||||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -512,9 +512,9 @@ diff -up openssh-5.9p0/ldap-helper.h.ldap openssh-5.9p0/ldap-helper.h
|
|||||||
+extern int config_warning_config_file;
|
+extern int config_warning_config_file;
|
||||||
+
|
+
|
||||||
+#endif /* LDAP_HELPER_H */
|
+#endif /* LDAP_HELPER_H */
|
||||||
diff -up openssh-5.9p0/ldap.conf.ldap openssh-5.9p0/ldap.conf
|
diff -up openssh-5.9p1/ldap.conf.ldap openssh-5.9p1/ldap.conf
|
||||||
--- openssh-5.9p0/ldap.conf.ldap 2011-08-30 15:57:12.929026186 +0200
|
--- openssh-5.9p1/ldap.conf.ldap 2011-09-13 11:17:05.697522387 +0200
|
||||||
+++ openssh-5.9p0/ldap.conf 2011-08-30 15:57:12.933024937 +0200
|
+++ openssh-5.9p1/ldap.conf 2011-09-13 11:17:05.699522577 +0200
|
||||||
@@ -0,0 +1,88 @@
|
@@ -0,0 +1,88 @@
|
||||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||||
+#
|
+#
|
||||||
@ -604,9 +604,9 @@ diff -up openssh-5.9p0/ldap.conf.ldap openssh-5.9p0/ldap.conf
|
|||||||
+#tls_cert
|
+#tls_cert
|
||||||
+#tls_key
|
+#tls_key
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldapbody.c.ldap openssh-5.9p0/ldapbody.c
|
diff -up openssh-5.9p1/ldapbody.c.ldap openssh-5.9p1/ldapbody.c
|
||||||
--- openssh-5.9p0/ldapbody.c.ldap 2011-08-30 15:57:13.005024661 +0200
|
--- openssh-5.9p1/ldapbody.c.ldap 2011-09-13 11:17:05.782571211 +0200
|
||||||
+++ openssh-5.9p0/ldapbody.c 2011-08-30 15:57:13.011024848 +0200
|
+++ openssh-5.9p1/ldapbody.c 2011-09-13 11:17:05.785584958 +0200
|
||||||
@@ -0,0 +1,494 @@
|
@@ -0,0 +1,494 @@
|
||||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -1102,9 +1102,9 @@ diff -up openssh-5.9p0/ldapbody.c.ldap openssh-5.9p0/ldapbody.c
|
|||||||
+ return;
|
+ return;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldapbody.h.ldap openssh-5.9p0/ldapbody.h
|
diff -up openssh-5.9p1/ldapbody.h.ldap openssh-5.9p1/ldapbody.h
|
||||||
--- openssh-5.9p0/ldapbody.h.ldap 2011-08-30 15:57:13.087150596 +0200
|
--- openssh-5.9p1/ldapbody.h.ldap 2011-09-13 11:17:05.861522789 +0200
|
||||||
+++ openssh-5.9p0/ldapbody.h 2011-08-30 15:57:13.091149461 +0200
|
+++ openssh-5.9p1/ldapbody.h 2011-09-13 11:17:05.863522010 +0200
|
||||||
@@ -0,0 +1,37 @@
|
@@ -0,0 +1,37 @@
|
||||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -1143,9 +1143,9 @@ diff -up openssh-5.9p0/ldapbody.h.ldap openssh-5.9p0/ldapbody.h
|
|||||||
+
|
+
|
||||||
+#endif /* LDAPBODY_H */
|
+#endif /* LDAPBODY_H */
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldapconf.c.ldap openssh-5.9p0/ldapconf.c
|
diff -up openssh-5.9p1/ldapconf.c.ldap openssh-5.9p1/ldapconf.c
|
||||||
--- openssh-5.9p0/ldapconf.c.ldap 2011-08-30 15:57:13.164036922 +0200
|
--- openssh-5.9p1/ldapconf.c.ldap 2011-09-13 11:17:05.937548294 +0200
|
||||||
+++ openssh-5.9p0/ldapconf.c 2011-08-30 15:57:13.171065499 +0200
|
+++ openssh-5.9p1/ldapconf.c 2011-09-13 11:17:05.941547073 +0200
|
||||||
@@ -0,0 +1,682 @@
|
@@ -0,0 +1,682 @@
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -1829,9 +1829,9 @@ diff -up openssh-5.9p0/ldapconf.c.ldap openssh-5.9p0/ldapconf.c
|
|||||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldapconf.h.ldap openssh-5.9p0/ldapconf.h
|
diff -up openssh-5.9p1/ldapconf.h.ldap openssh-5.9p1/ldapconf.h
|
||||||
--- openssh-5.9p0/ldapconf.h.ldap 2011-08-30 15:57:13.265149057 +0200
|
--- openssh-5.9p1/ldapconf.h.ldap 2011-09-13 11:17:06.016522201 +0200
|
||||||
+++ openssh-5.9p0/ldapconf.h 2011-08-30 15:57:13.271153923 +0200
|
+++ openssh-5.9p1/ldapconf.h 2011-09-13 11:17:06.018522083 +0200
|
||||||
@@ -0,0 +1,71 @@
|
@@ -0,0 +1,71 @@
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -1904,9 +1904,9 @@ diff -up openssh-5.9p0/ldapconf.h.ldap openssh-5.9p0/ldapconf.h
|
|||||||
+void dump_config(void);
|
+void dump_config(void);
|
||||||
+
|
+
|
||||||
+#endif /* LDAPCONF_H */
|
+#endif /* LDAPCONF_H */
|
||||||
diff -up openssh-5.9p0/ldapincludes.h.ldap openssh-5.9p0/ldapincludes.h
|
diff -up openssh-5.9p1/ldapincludes.h.ldap openssh-5.9p1/ldapincludes.h
|
||||||
--- openssh-5.9p0/ldapincludes.h.ldap 2011-08-30 15:57:13.344023601 +0200
|
--- openssh-5.9p1/ldapincludes.h.ldap 2011-09-13 11:17:06.123519312 +0200
|
||||||
+++ openssh-5.9p0/ldapincludes.h 2011-08-30 15:57:13.348024596 +0200
|
+++ openssh-5.9p1/ldapincludes.h 2011-09-13 11:17:06.126518977 +0200
|
||||||
@@ -0,0 +1,41 @@
|
@@ -0,0 +1,41 @@
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -1949,9 +1949,9 @@ diff -up openssh-5.9p0/ldapincludes.h.ldap openssh-5.9p0/ldapincludes.h
|
|||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
+#endif /* LDAPINCLUDES_H */
|
+#endif /* LDAPINCLUDES_H */
|
||||||
diff -up openssh-5.9p0/ldapmisc.c.ldap openssh-5.9p0/ldapmisc.c
|
diff -up openssh-5.9p1/ldapmisc.c.ldap openssh-5.9p1/ldapmisc.c
|
||||||
--- openssh-5.9p0/ldapmisc.c.ldap 2011-08-30 15:57:13.429148896 +0200
|
--- openssh-5.9p1/ldapmisc.c.ldap 2011-09-13 11:17:06.195508388 +0200
|
||||||
+++ openssh-5.9p0/ldapmisc.c 2011-08-30 15:57:13.433150396 +0200
|
+++ openssh-5.9p1/ldapmisc.c 2011-09-13 11:17:06.197507964 +0200
|
||||||
@@ -0,0 +1,79 @@
|
@@ -0,0 +1,79 @@
|
||||||
+
|
+
|
||||||
+#include "ldapincludes.h"
|
+#include "ldapincludes.h"
|
||||||
@ -2032,9 +2032,9 @@ diff -up openssh-5.9p0/ldapmisc.c.ldap openssh-5.9p0/ldapmisc.c
|
|||||||
+}
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ldapmisc.h.ldap openssh-5.9p0/ldapmisc.h
|
diff -up openssh-5.9p1/ldapmisc.h.ldap openssh-5.9p1/ldapmisc.h
|
||||||
--- openssh-5.9p0/ldapmisc.h.ldap 2011-08-30 15:57:13.531150853 +0200
|
--- openssh-5.9p1/ldapmisc.h.ldap 2011-09-13 11:17:06.273496889 +0200
|
||||||
+++ openssh-5.9p0/ldapmisc.h 2011-08-30 15:57:13.537153831 +0200
|
+++ openssh-5.9p1/ldapmisc.h 2011-09-13 11:17:06.276496151 +0200
|
||||||
@@ -0,0 +1,35 @@
|
@@ -0,0 +1,35 @@
|
||||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
@ -2071,9 +2071,9 @@ diff -up openssh-5.9p0/ldapmisc.h.ldap openssh-5.9p0/ldapmisc.h
|
|||||||
+
|
+
|
||||||
+#endif /* LDAPMISC_H */
|
+#endif /* LDAPMISC_H */
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/openssh-lpk-openldap.schema.ldap openssh-5.9p0/openssh-lpk-openldap.schema
|
diff -up openssh-5.9p1/openssh-lpk-openldap.schema.ldap openssh-5.9p1/openssh-lpk-openldap.schema
|
||||||
--- openssh-5.9p0/openssh-lpk-openldap.schema.ldap 2011-08-30 15:57:13.607025841 +0200
|
--- openssh-5.9p1/openssh-lpk-openldap.schema.ldap 2011-09-13 11:17:06.349485171 +0200
|
||||||
+++ openssh-5.9p0/openssh-lpk-openldap.schema 2011-08-30 15:57:13.612150461 +0200
|
+++ openssh-5.9p1/openssh-lpk-openldap.schema 2011-09-13 11:17:06.351484488 +0200
|
||||||
@@ -0,0 +1,21 @@
|
@@ -0,0 +1,21 @@
|
||||||
+#
|
+#
|
||||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||||
@ -2096,9 +2096,9 @@ diff -up openssh-5.9p0/openssh-lpk-openldap.schema.ldap openssh-5.9p0/openssh-lp
|
|||||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||||
+ MUST ( sshPublicKey $ uid )
|
+ MUST ( sshPublicKey $ uid )
|
||||||
+ )
|
+ )
|
||||||
diff -up openssh-5.9p0/openssh-lpk-sun.schema.ldap openssh-5.9p0/openssh-lpk-sun.schema
|
diff -up openssh-5.9p1/openssh-lpk-sun.schema.ldap openssh-5.9p1/openssh-lpk-sun.schema
|
||||||
--- openssh-5.9p0/openssh-lpk-sun.schema.ldap 2011-08-30 15:57:13.696025724 +0200
|
--- openssh-5.9p1/openssh-lpk-sun.schema.ldap 2011-09-13 11:17:06.420474045 +0200
|
||||||
+++ openssh-5.9p0/openssh-lpk-sun.schema 2011-08-30 15:57:13.699024704 +0200
|
+++ openssh-5.9p1/openssh-lpk-sun.schema 2011-09-13 11:17:06.422473843 +0200
|
||||||
@@ -0,0 +1,23 @@
|
@@ -0,0 +1,23 @@
|
||||||
+#
|
+#
|
||||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||||
@ -2123,9 +2123,9 @@ diff -up openssh-5.9p0/openssh-lpk-sun.schema.ldap openssh-5.9p0/openssh-lpk-sun
|
|||||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||||
+ MUST ( sshPublicKey $ uid )
|
+ MUST ( sshPublicKey $ uid )
|
||||||
+ )
|
+ )
|
||||||
diff -up openssh-5.9p0/ssh-ldap-helper.8.ldap openssh-5.9p0/ssh-ldap-helper.8
|
diff -up openssh-5.9p1/ssh-ldap-helper.8.ldap openssh-5.9p1/ssh-ldap-helper.8
|
||||||
--- openssh-5.9p0/ssh-ldap-helper.8.ldap 2011-08-30 15:57:13.772026539 +0200
|
--- openssh-5.9p1/ssh-ldap-helper.8.ldap 2011-09-13 11:17:06.504461435 +0200
|
||||||
+++ openssh-5.9p0/ssh-ldap-helper.8 2011-08-30 15:57:13.778026299 +0200
|
+++ openssh-5.9p1/ssh-ldap-helper.8 2011-09-13 11:17:06.506460976 +0200
|
||||||
@@ -0,0 +1,79 @@
|
@@ -0,0 +1,79 @@
|
||||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||||
+.\"
|
+.\"
|
||||||
@ -2206,17 +2206,17 @@ diff -up openssh-5.9p0/ssh-ldap-helper.8.ldap openssh-5.9p0/ssh-ldap-helper.8
|
|||||||
+OpenSSH 5.5 + PKA-LDAP .
|
+OpenSSH 5.5 + PKA-LDAP .
|
||||||
+.Sh AUTHORS
|
+.Sh AUTHORS
|
||||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||||
diff -up openssh-5.9p0/ssh-ldap-wrapper.ldap openssh-5.9p0/ssh-ldap-wrapper
|
diff -up openssh-5.9p1/ssh-ldap-wrapper.ldap openssh-5.9p1/ssh-ldap-wrapper
|
||||||
--- openssh-5.9p0/ssh-ldap-wrapper.ldap 2011-08-30 15:57:13.854024986 +0200
|
--- openssh-5.9p1/ssh-ldap-wrapper.ldap 2011-09-13 11:17:06.574455869 +0200
|
||||||
+++ openssh-5.9p0/ssh-ldap-wrapper 2011-08-30 15:57:13.858149926 +0200
|
+++ openssh-5.9p1/ssh-ldap-wrapper 2011-09-13 11:17:06.576475704 +0200
|
||||||
@@ -0,0 +1,4 @@
|
@@ -0,0 +1,4 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+
|
+
|
||||||
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p0/ssh-ldap.conf.5.ldap openssh-5.9p0/ssh-ldap.conf.5
|
diff -up openssh-5.9p1/ssh-ldap.conf.5.ldap openssh-5.9p1/ssh-ldap.conf.5
|
||||||
--- openssh-5.9p0/ssh-ldap.conf.5.ldap 2011-08-30 15:57:13.934151066 +0200
|
--- openssh-5.9p1/ssh-ldap.conf.5.ldap 2011-09-13 11:17:06.650522542 +0200
|
||||||
+++ openssh-5.9p0/ssh-ldap.conf.5 2011-08-30 15:57:13.942024641 +0200
|
+++ openssh-5.9p1/ssh-ldap.conf.5 2011-09-13 11:17:06.653474746 +0200
|
||||||
@@ -0,0 +1,376 @@
|
@@ -0,0 +1,376 @@
|
||||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||||
+.\"
|
+.\"
|
||||||
|
228
openssh-5.9p1-sesandbox.patch
Normal file
228
openssh-5.9p1-sesandbox.patch
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
diff -up openssh-5.9p1/Makefile.in.sesandbox openssh-5.9p1/Makefile.in
|
||||||
|
--- openssh-5.9p1/Makefile.in.sesandbox 2011-09-13 16:00:58.201646362 +0200
|
||||||
|
+++ openssh-5.9p1/Makefile.in 2011-09-13 16:01:08.284466746 +0200
|
||||||
|
@@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||||
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
|
sftp-server.o sftp-common.o \
|
||||||
|
roaming_common.o roaming_serv.o \
|
||||||
|
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
|
||||||
|
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
|
||||||
|
|
||||||
|
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
|
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||||
|
diff -up openssh-5.9p1/configure.ac.sesandbox openssh-5.9p1/configure.ac
|
||||||
|
--- openssh-5.9p1/configure.ac.sesandbox 2011-08-18 06:48:24.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/configure.ac 2011-09-13 16:01:08.537509294 +0200
|
||||||
|
@@ -2476,7 +2476,7 @@ AC_SUBST([SSH_PRIVSEP_USER])
|
||||||
|
# Decide which sandbox style to use
|
||||||
|
sandbox_arg=""
|
||||||
|
AC_ARG_WITH([sandbox],
|
||||||
|
- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)],
|
||||||
|
+ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, selinux)],
|
||||||
|
[
|
||||||
|
if test "x$withval" = "xyes" ; then
|
||||||
|
sandbox_arg=""
|
||||||
|
@@ -2499,6 +2499,10 @@ elif test "x$sandbox_arg" = "xdarwin" ||
|
||||||
|
AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
|
||||||
|
SANDBOX_STYLE="darwin"
|
||||||
|
AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
|
||||||
|
+elif test "x$sandbox_arg" = "xselinux" \\
|
||||||
|
+ test "x$WITH_SELINUX" = "x1"; then
|
||||||
|
+ SANDBOX_STYLE="selinux"
|
||||||
|
+ AC_DEFINE([SANDBOX_SELINUX], [1], [Sandbox using selinux(8)])
|
||||||
|
elif test "x$sandbox_arg" = "xrlimit" || \
|
||||||
|
( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
|
||||||
|
test "x$ac_cv_func_setrlimit" != "xyes" && \
|
||||||
|
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
|
||||||
|
--- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-13 16:09:04.534585160 +0200
|
||||||
|
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2011-09-13 16:13:51.827640965 +0200
|
||||||
|
@@ -459,24 +459,24 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||||
|
debug3("%s: done", __func__);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void
|
||||||
|
+int
|
||||||
|
ssh_selinux_change_context(const char *newname)
|
||||||
|
{
|
||||||
|
- int len, newlen;
|
||||||
|
+ int len, newlen, rv = -1;
|
||||||
|
char *oldctx, *newctx, *cx;
|
||||||
|
void (*switchlog) (const char *fmt,...) = logit;
|
||||||
|
|
||||||
|
if (!ssh_selinux_enabled())
|
||||||
|
- return;
|
||||||
|
+ return -2;
|
||||||
|
|
||||||
|
if (getcon((security_context_t *)&oldctx) < 0) {
|
||||||
|
logit("%s: getcon failed with %s", __func__, strerror(errno));
|
||||||
|
- return;
|
||||||
|
+ return -1;
|
||||||
|
}
|
||||||
|
if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
|
||||||
|
NULL) {
|
||||||
|
logit ("%s: unparseable context %s", __func__, oldctx);
|
||||||
|
- return;
|
||||||
|
+ return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -484,8 +484,10 @@ ssh_selinux_change_context(const char *n
|
||||||
|
* security context.
|
||||||
|
*/
|
||||||
|
if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
|
||||||
|
- sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
|
||||||
|
+ sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) {
|
||||||
|
switchlog = debug3;
|
||||||
|
+ rv = -2;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
newlen = strlen(oldctx) + strlen(newname) + 1;
|
||||||
|
newctx = xmalloc(newlen);
|
||||||
|
@@ -499,8 +501,11 @@ ssh_selinux_change_context(const char *n
|
||||||
|
if (setcon(newctx) < 0)
|
||||||
|
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
||||||
|
newctx, oldctx, strerror(errno));
|
||||||
|
+ else
|
||||||
|
+ rv = 0;
|
||||||
|
xfree(oldctx);
|
||||||
|
xfree(newctx);
|
||||||
|
+ return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox openssh-5.9p1/openbsd-compat/port-linux.h
|
||||||
|
--- openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox 2011-09-13 16:14:10.371460199 +0200
|
||||||
|
+++ openssh-5.9p1/openbsd-compat/port-linux.h 2011-09-13 16:14:40.377646062 +0200
|
||||||
|
@@ -23,7 +23,7 @@
|
||||||
|
int ssh_selinux_enabled(void);
|
||||||
|
void ssh_selinux_setup_pty(char *, const char *);
|
||||||
|
void ssh_selinux_setup_exec_context(char *);
|
||||||
|
-void ssh_selinux_change_context(const char *);
|
||||||
|
+int ssh_selinux_change_context(const char *);
|
||||||
|
void ssh_selinux_chopy_context(void);
|
||||||
|
void ssh_selinux_setfscreatecon(const char *);
|
||||||
|
#endif
|
||||||
|
diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux.c
|
||||||
|
--- openssh-5.9p1/sandbox-selinux.c.sesandbox 2011-09-13 16:01:08.715520826 +0200
|
||||||
|
+++ openssh-5.9p1/sandbox-selinux.c 2011-09-13 16:20:02.463511312 +0200
|
||||||
|
@@ -0,0 +1,120 @@
|
||||||
|
+/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Copyright 2011 Red Hat, Inc. All rights reserved.
|
||||||
|
+ * Use is subject to license terms.
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ * 1. Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer.
|
||||||
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer in the
|
||||||
|
+ * documentation and/or other materials provided with the distribution.
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
+ *
|
||||||
|
+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+
|
||||||
|
+#ifdef SANDBOX_SELINUX
|
||||||
|
+
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+
|
||||||
|
+#include "log.h"
|
||||||
|
+#include "ssh-sandbox.h"
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
+#include "openbsd-comnpat/port-linux.h"
|
||||||
|
+
|
||||||
|
+/* selinux based sandbox */
|
||||||
|
+
|
||||||
|
+struct ssh_sandbox {
|
||||||
|
+ pid_t child_pid;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct ssh_sandbox *
|
||||||
|
+ssh_sandbox_init(void)
|
||||||
|
+{
|
||||||
|
+ struct ssh_sandbox *box;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Strictly, we don't need to maintain any state here but we need
|
||||||
|
+ * to return non-NULL to satisfy the API.
|
||||||
|
+ */
|
||||||
|
+ box = xcalloc(1, sizeof(*box));
|
||||||
|
+ box->child_pid = 0;
|
||||||
|
+ return box;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+rlimit_ssh_sandbox_child(struct ssh_sandbox *box)
|
||||||
|
+{
|
||||||
|
+ struct rlimit rl_zero;
|
||||||
|
+
|
||||||
|
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
||||||
|
+
|
||||||
|
+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
|
||||||
|
+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
|
||||||
|
+ __func__, strerror(errno));
|
||||||
|
+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
|
||||||
|
+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
|
||||||
|
+ __func__, strerror(errno));
|
||||||
|
+#ifdef HAVE_RLIMIT_NPROC
|
||||||
|
+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
|
||||||
|
+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
|
||||||
|
+ __func__, strerror(errno));
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+ssh_sandbox_child(struct ssh_sandbox *box)
|
||||||
|
+{
|
||||||
|
+ switch (ssh_selinux_change_context("sshd_sandbox_t")) {
|
||||||
|
+ case 0:
|
||||||
|
+ debug3("selinux sandbox sucessfully enabled");
|
||||||
|
+ break;
|
||||||
|
+ case -2:
|
||||||
|
+ logit("selinux not useful, using rlimit sandbox instead");
|
||||||
|
+ rlimit_ssh_sandbox_child(box);
|
||||||
|
+ break;
|
||||||
|
+ case -1:
|
||||||
|
+ fatal("cannot set up selinux sandbox");
|
||||||
|
+ default:
|
||||||
|
+ fatal("inmternal error in selinux sandbox");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
|
||||||
|
+{
|
||||||
|
+ free(box);
|
||||||
|
+ debug3("%s: finished", __func__);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
|
||||||
|
+{
|
||||||
|
+ box->child_pid = child_pid;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif /* SANDBOX_NULL */
|
11
openssh.spec
11
openssh.spec
@ -79,7 +79,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.9p1
|
%define openssh_ver 5.9p1
|
||||||
%define openssh_rel 7
|
%define openssh_rel 8
|
||||||
%define pam_ssh_agent_ver 0.9.2
|
%define pam_ssh_agent_ver 0.9.2
|
||||||
%define pam_ssh_agent_rel 32
|
%define pam_ssh_agent_rel 32
|
||||||
|
|
||||||
@ -145,6 +145,8 @@ Patch400: openssh-5.9p1-role.patch
|
|||||||
Patch401: openssh-5.9p1-mls.patch
|
Patch401: openssh-5.9p1-mls.patch
|
||||||
#?
|
#?
|
||||||
Patch402: openssh-5.9p1-sftp-chroot.patch
|
Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||||
|
#?
|
||||||
|
Patch403: openssh-5.9p1-sesandbox.patch
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||||
Patch500: openssh-5.9p1-akc.patch
|
Patch500: openssh-5.9p1-akc.patch
|
||||||
@ -412,6 +414,7 @@ popd
|
|||||||
%patch400 -p1 -b .role
|
%patch400 -p1 -b .role
|
||||||
%patch401 -p1 -b .mls
|
%patch401 -p1 -b .mls
|
||||||
%patch402 -p1 -b .sftp-chroot
|
%patch402 -p1 -b .sftp-chroot
|
||||||
|
%patch403 -p1 -b .sesandbox
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%patch500 -p1 -b .akc
|
%patch500 -p1 -b .akc
|
||||||
@ -517,7 +520,7 @@ fi
|
|||||||
--with-pam \
|
--with-pam \
|
||||||
%endif
|
%endif
|
||||||
%if %{WITH_SELINUX}
|
%if %{WITH_SELINUX}
|
||||||
--with-selinux --with-audit=linux \
|
--with-selinux --with-audit=linux --with-sandbox-style=selinux \
|
||||||
%endif
|
%endif
|
||||||
%if %{kerberos5}
|
%if %{kerberos5}
|
||||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
||||||
@ -786,6 +789,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
|
||||||
|
- coverity upgrade
|
||||||
|
- experimental selinux sandbox
|
||||||
|
|
||||||
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32
|
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32
|
||||||
- fully reanable auditing
|
- fully reanable auditing
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user