forked from rpms/openssh
coverity upgrade
experimental selinux sandbox
This commit is contained in:
parent
c2ea13d263
commit
c870e661c7
@ -1,18 +1,23 @@
|
||||
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.9p1/auth-pam.c 2011-09-09 15:13:32.820565436 +0200
|
||||
@@ -216,7 +216,7 @@ pthread_join(sp_pthread_t thread, void *
|
||||
+++ openssh-5.9p1/auth-pam.c 2011-09-13 08:41:24.635521346 +0200
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
signal(SIGCHLD, sshpam_oldsig);
|
||||
- waitpid(thread, &status, 0);
|
||||
+ (void) waitpid(thread, &status, 0);
|
||||
+ while (waitpid(thread, &status, 0) < 0) {
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ fatal("%s: waitpid: %s", __func__,
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
return (status);
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
|
||||
+++ openssh-5.9p1/channels.c 2011-09-09 15:13:32.911439569 +0200
|
||||
+++ openssh-5.9p1/channels.c 2011-09-13 08:26:11.771584519 +0200
|
||||
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
@ -45,7 +50,7 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||
}
|
||||
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
|
||||
+++ openssh-5.9p1/clientloop.c 2011-09-09 15:13:33.017564323 +0200
|
||||
+++ openssh-5.9p1/clientloop.c 2011-09-13 08:26:11.889458598 +0200
|
||||
@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
|
||||
char *rtype;
|
||||
int want_reply;
|
||||
@ -56,7 +61,7 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
want_reply = packet_get_char();
|
||||
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-09 15:13:33.145442605 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-13 08:26:12.000459857 +0200
|
||||
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
|
||||
success = 1;
|
||||
/*XXXX*/
|
||||
@ -69,8 +74,8 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
while (*cp == ' ' || *cp == '\t')
|
||||
cp++;
|
||||
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.coverity 2011-09-09 17:13:15.937439833 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-09 17:15:18.625466696 +0200
|
||||
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-13 08:26:12.132583409 +0200
|
||||
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
@ -93,8 +98,8 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2011-09-09 17:29:14.709442881 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-09 17:32:48.770563974 +0200
|
||||
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-13 08:26:12.298464549 +0200
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
@ -106,7 +111,7 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-09 15:13:33.263447887 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-13 08:26:12.405461249 +0200
|
||||
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
|
||||
case DEATTACK_DETECTED:
|
||||
packet_disconnect("crc32 compensation attack: "
|
||||
@ -126,7 +131,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
|
||||
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.c 2011-09-09 15:13:33.382566039 +0200
|
||||
+++ openssh-5.9p1/progressmeter.c 2011-09-13 08:26:12.511520013 +0200
|
||||
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
||||
|
||||
static time_t start; /* start progress */
|
||||
@ -147,7 +152,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
file = f;
|
||||
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.h 2011-09-09 15:13:33.501438992 +0200
|
||||
+++ openssh-5.9p1/progressmeter.h 2011-09-13 08:26:12.630521541 +0200
|
||||
@@ -23,5 +23,5 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
@ -157,7 +162,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
void stop_progress_meter(void);
|
||||
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
|
||||
+++ openssh-5.9p1/scp.c 2011-09-09 15:13:33.607564009 +0200
|
||||
+++ openssh-5.9p1/scp.c 2011-09-13 08:26:12.748520967 +0200
|
||||
@@ -155,7 +155,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
@ -168,8 +173,8 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.coverity 2011-09-09 17:24:09.333561142 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-09 17:26:41.488502345 +0200
|
||||
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-13 08:26:12.854521290 +0200
|
||||
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
@ -181,7 +186,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
|
||||
+++ openssh-5.9p1/serverloop.c 2011-09-09 15:13:33.723564433 +0200
|
||||
+++ openssh-5.9p1/serverloop.c 2011-09-13 08:26:12.968645756 +0200
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
@ -293,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.c 2011-09-09 15:13:33.845564522 +0200
|
||||
+++ openssh-5.9p1/sftp-client.c 2011-09-13 08:26:13.083520760 +0200
|
||||
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
||||
}
|
||||
|
||||
@ -518,7 +523,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.h 2011-09-09 15:13:33.954567073 +0200
|
||||
+++ openssh-5.9p1/sftp-client.h 2011-09-13 08:26:13.181525164 +0200
|
||||
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
||||
u_int sftp_proto_version(struct sftp_conn *);
|
||||
|
||||
@ -618,7 +623,7 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
#endif
|
||||
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp.c 2011-09-09 15:13:34.086441893 +0200
|
||||
+++ openssh-5.9p1/sftp.c 2011-09-13 08:26:13.311521187 +0200
|
||||
@@ -206,7 +206,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
@ -733,7 +738,7 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-09 15:13:34.203567987 +0200
|
||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-13 08:26:13.416521025 +0200
|
||||
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
@ -747,7 +752,7 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-09 15:13:34.317564195 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-13 08:26:13.565519531 +0200
|
||||
@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p0/HOWTO.ldap-keys.ldap openssh-5.9p0/HOWTO.ldap-keys
|
||||
--- openssh-5.9p0/HOWTO.ldap-keys.ldap 2011-08-30 15:57:12.449212853 +0200
|
||||
+++ openssh-5.9p0/HOWTO.ldap-keys 2011-08-30 15:57:12.453101662 +0200
|
||||
diff -up openssh-5.9p1/HOWTO.ldap-keys.ldap openssh-5.9p1/HOWTO.ldap-keys
|
||||
--- openssh-5.9p1/HOWTO.ldap-keys.ldap 2011-09-13 11:17:05.178644691 +0200
|
||||
+++ openssh-5.9p1/HOWTO.ldap-keys 2011-09-13 11:17:05.181522429 +0200
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -110,9 +110,9 @@ diff -up openssh-5.9p0/HOWTO.ldap-keys.ldap openssh-5.9p0/HOWTO.ldap-keys
|
||||
+5) Author
|
||||
+ Jan F. Chadima <jchadima@redhat.com>
|
||||
+
|
||||
diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
||||
--- openssh-5.9p0/Makefile.in.ldap 2011-08-30 15:57:01.693024742 +0200
|
||||
+++ openssh-5.9p0/Makefile.in 2011-08-30 16:00:02.478212295 +0200
|
||||
diff -up openssh-5.9p1/Makefile.in.ldap openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.ldap 2011-09-13 11:17:04.064644353 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-13 11:20:16.996522219 +0200
|
||||
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@ -135,7 +135,7 @@ diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
||||
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
||||
@@ -92,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
roaming_common.o roaming_serv.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
|
||||
|
||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
@ -207,9 +207,9 @@ diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
tests interop-tests: $(TARGETS)
|
||||
diff -up openssh-5.9p0/configure.ac.ldap openssh-5.9p0/configure.ac
|
||||
--- openssh-5.9p0/configure.ac.ldap 2011-08-30 15:57:11.297032991 +0200
|
||||
+++ openssh-5.9p0/configure.ac 2011-08-30 15:57:12.664024959 +0200
|
||||
diff -up openssh-5.9p1/configure.ac.ldap openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.ldap 2011-09-13 11:17:04.488583772 +0200
|
||||
+++ openssh-5.9p1/configure.ac 2011-09-13 11:17:05.418529375 +0200
|
||||
@@ -1433,6 +1433,106 @@ AC_ARG_WITH(authorized-keys-command,
|
||||
]
|
||||
)
|
||||
@ -317,9 +317,9 @@ diff -up openssh-5.9p0/configure.ac.ldap openssh-5.9p0/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
diff -up openssh-5.9p0/ldap-helper.c.ldap openssh-5.9p0/ldap-helper.c
|
||||
--- openssh-5.9p0/ldap-helper.c.ldap 2011-08-30 15:57:12.754025033 +0200
|
||||
+++ openssh-5.9p0/ldap-helper.c 2011-08-30 15:57:12.759025510 +0200
|
||||
diff -up openssh-5.9p1/ldap-helper.c.ldap openssh-5.9p1/ldap-helper.c
|
||||
--- openssh-5.9p1/ldap-helper.c.ldap 2011-09-13 11:17:05.527520185 +0200
|
||||
+++ openssh-5.9p1/ldap-helper.c 2011-09-13 11:17:05.531521117 +0200
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -476,9 +476,9 @@ diff -up openssh-5.9p0/ldap-helper.c.ldap openssh-5.9p0/ldap-helper.c
|
||||
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||
+
|
||||
diff -up openssh-5.9p0/ldap-helper.h.ldap openssh-5.9p0/ldap-helper.h
|
||||
--- openssh-5.9p0/ldap-helper.h.ldap 2011-08-30 15:57:12.835024792 +0200
|
||||
+++ openssh-5.9p0/ldap-helper.h 2011-08-30 15:57:12.839024637 +0200
|
||||
diff -up openssh-5.9p1/ldap-helper.h.ldap openssh-5.9p1/ldap-helper.h
|
||||
--- openssh-5.9p1/ldap-helper.h.ldap 2011-09-13 11:17:05.619520027 +0200
|
||||
+++ openssh-5.9p1/ldap-helper.h 2011-09-13 11:17:05.621522622 +0200
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -512,9 +512,9 @@ diff -up openssh-5.9p0/ldap-helper.h.ldap openssh-5.9p0/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
diff -up openssh-5.9p0/ldap.conf.ldap openssh-5.9p0/ldap.conf
|
||||
--- openssh-5.9p0/ldap.conf.ldap 2011-08-30 15:57:12.929026186 +0200
|
||||
+++ openssh-5.9p0/ldap.conf 2011-08-30 15:57:12.933024937 +0200
|
||||
diff -up openssh-5.9p1/ldap.conf.ldap openssh-5.9p1/ldap.conf
|
||||
--- openssh-5.9p1/ldap.conf.ldap 2011-09-13 11:17:05.697522387 +0200
|
||||
+++ openssh-5.9p1/ldap.conf 2011-09-13 11:17:05.699522577 +0200
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -604,9 +604,9 @@ diff -up openssh-5.9p0/ldap.conf.ldap openssh-5.9p0/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
diff -up openssh-5.9p0/ldapbody.c.ldap openssh-5.9p0/ldapbody.c
|
||||
--- openssh-5.9p0/ldapbody.c.ldap 2011-08-30 15:57:13.005024661 +0200
|
||||
+++ openssh-5.9p0/ldapbody.c 2011-08-30 15:57:13.011024848 +0200
|
||||
diff -up openssh-5.9p1/ldapbody.c.ldap openssh-5.9p1/ldapbody.c
|
||||
--- openssh-5.9p1/ldapbody.c.ldap 2011-09-13 11:17:05.782571211 +0200
|
||||
+++ openssh-5.9p1/ldapbody.c 2011-09-13 11:17:05.785584958 +0200
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1102,9 +1102,9 @@ diff -up openssh-5.9p0/ldapbody.c.ldap openssh-5.9p0/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.9p0/ldapbody.h.ldap openssh-5.9p0/ldapbody.h
|
||||
--- openssh-5.9p0/ldapbody.h.ldap 2011-08-30 15:57:13.087150596 +0200
|
||||
+++ openssh-5.9p0/ldapbody.h 2011-08-30 15:57:13.091149461 +0200
|
||||
diff -up openssh-5.9p1/ldapbody.h.ldap openssh-5.9p1/ldapbody.h
|
||||
--- openssh-5.9p1/ldapbody.h.ldap 2011-09-13 11:17:05.861522789 +0200
|
||||
+++ openssh-5.9p1/ldapbody.h 2011-09-13 11:17:05.863522010 +0200
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1143,9 +1143,9 @@ diff -up openssh-5.9p0/ldapbody.h.ldap openssh-5.9p0/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
diff -up openssh-5.9p0/ldapconf.c.ldap openssh-5.9p0/ldapconf.c
|
||||
--- openssh-5.9p0/ldapconf.c.ldap 2011-08-30 15:57:13.164036922 +0200
|
||||
+++ openssh-5.9p0/ldapconf.c 2011-08-30 15:57:13.171065499 +0200
|
||||
diff -up openssh-5.9p1/ldapconf.c.ldap openssh-5.9p1/ldapconf.c
|
||||
--- openssh-5.9p1/ldapconf.c.ldap 2011-09-13 11:17:05.937548294 +0200
|
||||
+++ openssh-5.9p1/ldapconf.c 2011-09-13 11:17:05.941547073 +0200
|
||||
@@ -0,0 +1,682 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1829,9 +1829,9 @@ diff -up openssh-5.9p0/ldapconf.c.ldap openssh-5.9p0/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.9p0/ldapconf.h.ldap openssh-5.9p0/ldapconf.h
|
||||
--- openssh-5.9p0/ldapconf.h.ldap 2011-08-30 15:57:13.265149057 +0200
|
||||
+++ openssh-5.9p0/ldapconf.h 2011-08-30 15:57:13.271153923 +0200
|
||||
diff -up openssh-5.9p1/ldapconf.h.ldap openssh-5.9p1/ldapconf.h
|
||||
--- openssh-5.9p1/ldapconf.h.ldap 2011-09-13 11:17:06.016522201 +0200
|
||||
+++ openssh-5.9p1/ldapconf.h 2011-09-13 11:17:06.018522083 +0200
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1904,9 +1904,9 @@ diff -up openssh-5.9p0/ldapconf.h.ldap openssh-5.9p0/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
diff -up openssh-5.9p0/ldapincludes.h.ldap openssh-5.9p0/ldapincludes.h
|
||||
--- openssh-5.9p0/ldapincludes.h.ldap 2011-08-30 15:57:13.344023601 +0200
|
||||
+++ openssh-5.9p0/ldapincludes.h 2011-08-30 15:57:13.348024596 +0200
|
||||
diff -up openssh-5.9p1/ldapincludes.h.ldap openssh-5.9p1/ldapincludes.h
|
||||
--- openssh-5.9p1/ldapincludes.h.ldap 2011-09-13 11:17:06.123519312 +0200
|
||||
+++ openssh-5.9p1/ldapincludes.h 2011-09-13 11:17:06.126518977 +0200
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1949,9 +1949,9 @@ diff -up openssh-5.9p0/ldapincludes.h.ldap openssh-5.9p0/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
diff -up openssh-5.9p0/ldapmisc.c.ldap openssh-5.9p0/ldapmisc.c
|
||||
--- openssh-5.9p0/ldapmisc.c.ldap 2011-08-30 15:57:13.429148896 +0200
|
||||
+++ openssh-5.9p0/ldapmisc.c 2011-08-30 15:57:13.433150396 +0200
|
||||
diff -up openssh-5.9p1/ldapmisc.c.ldap openssh-5.9p1/ldapmisc.c
|
||||
--- openssh-5.9p1/ldapmisc.c.ldap 2011-09-13 11:17:06.195508388 +0200
|
||||
+++ openssh-5.9p1/ldapmisc.c 2011-09-13 11:17:06.197507964 +0200
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2032,9 +2032,9 @@ diff -up openssh-5.9p0/ldapmisc.c.ldap openssh-5.9p0/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh-5.9p0/ldapmisc.h.ldap openssh-5.9p0/ldapmisc.h
|
||||
--- openssh-5.9p0/ldapmisc.h.ldap 2011-08-30 15:57:13.531150853 +0200
|
||||
+++ openssh-5.9p0/ldapmisc.h 2011-08-30 15:57:13.537153831 +0200
|
||||
diff -up openssh-5.9p1/ldapmisc.h.ldap openssh-5.9p1/ldapmisc.h
|
||||
--- openssh-5.9p1/ldapmisc.h.ldap 2011-09-13 11:17:06.273496889 +0200
|
||||
+++ openssh-5.9p1/ldapmisc.h 2011-09-13 11:17:06.276496151 +0200
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2071,9 +2071,9 @@ diff -up openssh-5.9p0/ldapmisc.h.ldap openssh-5.9p0/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
diff -up openssh-5.9p0/openssh-lpk-openldap.schema.ldap openssh-5.9p0/openssh-lpk-openldap.schema
|
||||
--- openssh-5.9p0/openssh-lpk-openldap.schema.ldap 2011-08-30 15:57:13.607025841 +0200
|
||||
+++ openssh-5.9p0/openssh-lpk-openldap.schema 2011-08-30 15:57:13.612150461 +0200
|
||||
diff -up openssh-5.9p1/openssh-lpk-openldap.schema.ldap openssh-5.9p1/openssh-lpk-openldap.schema
|
||||
--- openssh-5.9p1/openssh-lpk-openldap.schema.ldap 2011-09-13 11:17:06.349485171 +0200
|
||||
+++ openssh-5.9p1/openssh-lpk-openldap.schema 2011-09-13 11:17:06.351484488 +0200
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2096,9 +2096,9 @@ diff -up openssh-5.9p0/openssh-lpk-openldap.schema.ldap openssh-5.9p0/openssh-lp
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-5.9p0/openssh-lpk-sun.schema.ldap openssh-5.9p0/openssh-lpk-sun.schema
|
||||
--- openssh-5.9p0/openssh-lpk-sun.schema.ldap 2011-08-30 15:57:13.696025724 +0200
|
||||
+++ openssh-5.9p0/openssh-lpk-sun.schema 2011-08-30 15:57:13.699024704 +0200
|
||||
diff -up openssh-5.9p1/openssh-lpk-sun.schema.ldap openssh-5.9p1/openssh-lpk-sun.schema
|
||||
--- openssh-5.9p1/openssh-lpk-sun.schema.ldap 2011-09-13 11:17:06.420474045 +0200
|
||||
+++ openssh-5.9p1/openssh-lpk-sun.schema 2011-09-13 11:17:06.422473843 +0200
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2123,9 +2123,9 @@ diff -up openssh-5.9p0/openssh-lpk-sun.schema.ldap openssh-5.9p0/openssh-lpk-sun
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-5.9p0/ssh-ldap-helper.8.ldap openssh-5.9p0/ssh-ldap-helper.8
|
||||
--- openssh-5.9p0/ssh-ldap-helper.8.ldap 2011-08-30 15:57:13.772026539 +0200
|
||||
+++ openssh-5.9p0/ssh-ldap-helper.8 2011-08-30 15:57:13.778026299 +0200
|
||||
diff -up openssh-5.9p1/ssh-ldap-helper.8.ldap openssh-5.9p1/ssh-ldap-helper.8
|
||||
--- openssh-5.9p1/ssh-ldap-helper.8.ldap 2011-09-13 11:17:06.504461435 +0200
|
||||
+++ openssh-5.9p1/ssh-ldap-helper.8 2011-09-13 11:17:06.506460976 +0200
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2206,17 +2206,17 @@ diff -up openssh-5.9p0/ssh-ldap-helper.8.ldap openssh-5.9p0/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff -up openssh-5.9p0/ssh-ldap-wrapper.ldap openssh-5.9p0/ssh-ldap-wrapper
|
||||
--- openssh-5.9p0/ssh-ldap-wrapper.ldap 2011-08-30 15:57:13.854024986 +0200
|
||||
+++ openssh-5.9p0/ssh-ldap-wrapper 2011-08-30 15:57:13.858149926 +0200
|
||||
diff -up openssh-5.9p1/ssh-ldap-wrapper.ldap openssh-5.9p1/ssh-ldap-wrapper
|
||||
--- openssh-5.9p1/ssh-ldap-wrapper.ldap 2011-09-13 11:17:06.574455869 +0200
|
||||
+++ openssh-5.9p1/ssh-ldap-wrapper 2011-09-13 11:17:06.576475704 +0200
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
diff -up openssh-5.9p0/ssh-ldap.conf.5.ldap openssh-5.9p0/ssh-ldap.conf.5
|
||||
--- openssh-5.9p0/ssh-ldap.conf.5.ldap 2011-08-30 15:57:13.934151066 +0200
|
||||
+++ openssh-5.9p0/ssh-ldap.conf.5 2011-08-30 15:57:13.942024641 +0200
|
||||
diff -up openssh-5.9p1/ssh-ldap.conf.5.ldap openssh-5.9p1/ssh-ldap.conf.5
|
||||
--- openssh-5.9p1/ssh-ldap.conf.5.ldap 2011-09-13 11:17:06.650522542 +0200
|
||||
+++ openssh-5.9p1/ssh-ldap.conf.5 2011-09-13 11:17:06.653474746 +0200
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
|
228
openssh-5.9p1-sesandbox.patch
Normal file
228
openssh-5.9p1-sesandbox.patch
Normal file
@ -0,0 +1,228 @@
|
||||
diff -up openssh-5.9p1/Makefile.in.sesandbox openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.sesandbox 2011-09-13 16:00:58.201646362 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-13 16:01:08.284466746 +0200
|
||||
@@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o \
|
||||
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
|
||||
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
diff -up openssh-5.9p1/configure.ac.sesandbox openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.sesandbox 2011-08-18 06:48:24.000000000 +0200
|
||||
+++ openssh-5.9p1/configure.ac 2011-09-13 16:01:08.537509294 +0200
|
||||
@@ -2476,7 +2476,7 @@ AC_SUBST([SSH_PRIVSEP_USER])
|
||||
# Decide which sandbox style to use
|
||||
sandbox_arg=""
|
||||
AC_ARG_WITH([sandbox],
|
||||
- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)],
|
||||
+ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, selinux)],
|
||||
[
|
||||
if test "x$withval" = "xyes" ; then
|
||||
sandbox_arg=""
|
||||
@@ -2499,6 +2499,10 @@ elif test "x$sandbox_arg" = "xdarwin" ||
|
||||
AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
|
||||
SANDBOX_STYLE="darwin"
|
||||
AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
|
||||
+elif test "x$sandbox_arg" = "xselinux" \\
|
||||
+ test "x$WITH_SELINUX" = "x1"; then
|
||||
+ SANDBOX_STYLE="selinux"
|
||||
+ AC_DEFINE([SANDBOX_SELINUX], [1], [Sandbox using selinux(8)])
|
||||
elif test "x$sandbox_arg" = "xrlimit" || \
|
||||
( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
|
||||
test "x$ac_cv_func_setrlimit" != "xyes" && \
|
||||
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-13 16:09:04.534585160 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2011-09-13 16:13:51.827640965 +0200
|
||||
@@ -459,24 +459,24 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
-void
|
||||
+int
|
||||
ssh_selinux_change_context(const char *newname)
|
||||
{
|
||||
- int len, newlen;
|
||||
+ int len, newlen, rv = -1;
|
||||
char *oldctx, *newctx, *cx;
|
||||
void (*switchlog) (const char *fmt,...) = logit;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
+ return -2;
|
||||
|
||||
if (getcon((security_context_t *)&oldctx) < 0) {
|
||||
logit("%s: getcon failed with %s", __func__, strerror(errno));
|
||||
- return;
|
||||
+ return -1;
|
||||
}
|
||||
if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
|
||||
NULL) {
|
||||
logit ("%s: unparseable context %s", __func__, oldctx);
|
||||
- return;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -484,8 +484,10 @@ ssh_selinux_change_context(const char *n
|
||||
* security context.
|
||||
*/
|
||||
if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
|
||||
- sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
|
||||
+ sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) {
|
||||
switchlog = debug3;
|
||||
+ rv = -2;
|
||||
+ }
|
||||
|
||||
newlen = strlen(oldctx) + strlen(newname) + 1;
|
||||
newctx = xmalloc(newlen);
|
||||
@@ -499,8 +501,11 @@ ssh_selinux_change_context(const char *n
|
||||
if (setcon(newctx) < 0)
|
||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
||||
newctx, oldctx, strerror(errno));
|
||||
+ else
|
||||
+ rv = 0;
|
||||
xfree(oldctx);
|
||||
xfree(newctx);
|
||||
+ return rv;
|
||||
}
|
||||
|
||||
void
|
||||
diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox openssh-5.9p1/openbsd-compat/port-linux.h
|
||||
--- openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox 2011-09-13 16:14:10.371460199 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/port-linux.h 2011-09-13 16:14:40.377646062 +0200
|
||||
@@ -23,7 +23,7 @@
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
-void ssh_selinux_change_context(const char *);
|
||||
+int ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_chopy_context(void);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux.c
|
||||
--- openssh-5.9p1/sandbox-selinux.c.sesandbox 2011-09-13 16:01:08.715520826 +0200
|
||||
+++ openssh-5.9p1/sandbox-selinux.c 2011-09-13 16:20:02.463511312 +0200
|
||||
@@ -0,0 +1,120 @@
|
||||
+/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright 2011 Red Hat, Inc. All rights reserved.
|
||||
+ * Use is subject to license terms.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#ifdef SANDBOX_SELINUX
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "ssh-sandbox.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "openbsd-comnpat/port-linux.h"
|
||||
+
|
||||
+/* selinux based sandbox */
|
||||
+
|
||||
+struct ssh_sandbox {
|
||||
+ pid_t child_pid;
|
||||
+};
|
||||
+
|
||||
+struct ssh_sandbox *
|
||||
+ssh_sandbox_init(void)
|
||||
+{
|
||||
+ struct ssh_sandbox *box;
|
||||
+
|
||||
+ /*
|
||||
+ * Strictly, we don't need to maintain any state here but we need
|
||||
+ * to return non-NULL to satisfy the API.
|
||||
+ */
|
||||
+ box = xcalloc(1, sizeof(*box));
|
||||
+ box->child_pid = 0;
|
||||
+ return box;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+rlimit_ssh_sandbox_child(struct ssh_sandbox *box)
|
||||
+{
|
||||
+ struct rlimit rl_zero;
|
||||
+
|
||||
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
||||
+
|
||||
+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
|
||||
+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
|
||||
+ __func__, strerror(errno));
|
||||
+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
|
||||
+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
|
||||
+ __func__, strerror(errno));
|
||||
+#ifdef HAVE_RLIMIT_NPROC
|
||||
+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
|
||||
+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
|
||||
+ __func__, strerror(errno));
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_sandbox_child(struct ssh_sandbox *box)
|
||||
+{
|
||||
+ switch (ssh_selinux_change_context("sshd_sandbox_t")) {
|
||||
+ case 0:
|
||||
+ debug3("selinux sandbox sucessfully enabled");
|
||||
+ break;
|
||||
+ case -2:
|
||||
+ logit("selinux not useful, using rlimit sandbox instead");
|
||||
+ rlimit_ssh_sandbox_child(box);
|
||||
+ break;
|
||||
+ case -1:
|
||||
+ fatal("cannot set up selinux sandbox");
|
||||
+ default:
|
||||
+ fatal("inmternal error in selinux sandbox");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
|
||||
+{
|
||||
+ free(box);
|
||||
+ debug3("%s: finished", __func__);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
|
||||
+{
|
||||
+ box->child_pid = child_pid;
|
||||
+}
|
||||
+
|
||||
+#endif /* SANDBOX_NULL */
|
11
openssh.spec
11
openssh.spec
@ -79,7 +79,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.9p1
|
||||
%define openssh_rel 7
|
||||
%define openssh_rel 8
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 32
|
||||
|
||||
@ -145,6 +145,8 @@ Patch400: openssh-5.9p1-role.patch
|
||||
Patch401: openssh-5.9p1-mls.patch
|
||||
#?
|
||||
Patch402: openssh-5.9p1-sftp-chroot.patch
|
||||
#?
|
||||
Patch403: openssh-5.9p1-sesandbox.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||
Patch500: openssh-5.9p1-akc.patch
|
||||
@ -412,6 +414,7 @@ popd
|
||||
%patch400 -p1 -b .role
|
||||
%patch401 -p1 -b .mls
|
||||
%patch402 -p1 -b .sftp-chroot
|
||||
%patch403 -p1 -b .sesandbox
|
||||
%endif
|
||||
|
||||
%patch500 -p1 -b .akc
|
||||
@ -517,7 +520,7 @@ fi
|
||||
--with-pam \
|
||||
%endif
|
||||
%if %{WITH_SELINUX}
|
||||
--with-selinux --with-audit=linux \
|
||||
--with-selinux --with-audit=linux --with-sandbox-style=selinux \
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
||||
@ -786,6 +789,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
|
||||
- coverity upgrade
|
||||
- experimental selinux sandbox
|
||||
|
||||
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32
|
||||
- fully reanable auditing
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user