forked from rpms/openssh
		
	the private keys may be 640 root:ssh_keys ssh_keysign is sgid
This commit is contained in:
		
							parent
							
								
									c7ffe02211
								
							
						
					
					
						commit
						1ddd0ee5d7
					
				
							
								
								
									
										25
									
								
								openssh-5.8p1-keyperm.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								openssh-5.8p1-keyperm.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,25 @@ | ||||
| diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
 | ||||
| --- openssh-5.8p1/authfile.c.keyperm	2010-12-01 02:03:39.000000000 +0100
 | ||||
| +++ openssh-5.8p1/authfile.c	2011-04-21 16:43:36.859648916 +0200
 | ||||
| @@ -57,6 +57,7 @@
 | ||||
|  #include <stdlib.h> | ||||
|  #include <string.h> | ||||
|  #include <unistd.h> | ||||
| +#include <grp.h>
 | ||||
|   | ||||
|  #include "xmalloc.h" | ||||
|  #include "cipher.h" | ||||
| @@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
 | ||||
|  #ifdef HAVE_CYGWIN | ||||
|  	if (check_ntsec(filename)) | ||||
|  #endif | ||||
| +	if (st.st_mode & 040) {
 | ||||
| +		struct group *gr;
 | ||||
| +
 | ||||
| +		if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
 | ||||
| +			st.st_mode &= ~040;
 | ||||
| +	}
 | ||||
| +
 | ||||
|  	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { | ||||
|  		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||||
|  		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @"); | ||||
							
								
								
									
										19
									
								
								openssh.spec
									
									
									
									
									
								
							
							
						
						
									
										19
									
								
								openssh.spec
									
									
									
									
									
								
							| @ -71,7 +71,7 @@ | ||||
| 
 | ||||
| # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | ||||
| %define openssh_ver 5.8p1 | ||||
| %define openssh_rel 26 | ||||
| %define openssh_rel 27 | ||||
| %define pam_ssh_agent_ver 0.9.2 | ||||
| %define pam_ssh_agent_rel 30 | ||||
| 
 | ||||
| @ -109,9 +109,9 @@ Patch2: openssh-5.8p1-audit2.patch | ||||
| Patch3: openssh-5.8p1-audit3.patch | ||||
| Patch4: openssh-5.8p1-audit4.patch | ||||
| Patch5: openssh-5.8p1-audit5.patch | ||||
| #?https://bugzilla.mindrot.org/show_bug.cgi?id=1889 | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1889 | ||||
| Patch6: openssh-5.8p1-packet.patch | ||||
| #?https://bugzilla.mindrot.org/show_bug.cgi?id=1890 | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 | ||||
| Patch7: openssh-5.8p1-entropy.patch | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) | ||||
| Patch9: openssh-5.8p1-vendor.patch | ||||
| @ -145,9 +145,11 @@ Patch32: openssh-5.8p1-randclean.patch | ||||
| Patch34: openssh-5.8p1-kuserok.patch | ||||
| #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h | ||||
| Patch35: openssh-5.8p1-glob.patch | ||||
| #?https://bugzilla.mindrot.org/show_bug.cgi?id=1891 | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1891 | ||||
| Patch36: openssh-5.8p1-pwchange.patch | ||||
| #? | ||||
| Patch37: openssh-5.8p1-keyperm.patch | ||||
| #? | ||||
| Patch50: openssh-5.8p1-fips.patch | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1789 | ||||
| Patch51: openssh-5.5p1-x11.patch | ||||
| @ -355,6 +357,7 @@ popd | ||||
| %patch34 -p1 -b .kuserok | ||||
| %patch35 -p1 -b .glob | ||||
| %patch36 -p1 -b .pwchange | ||||
| %patch37 -p1 -b .keyperm | ||||
| 
 | ||||
| %patch50 -p1 -b .fips | ||||
| %patch51 -p1 -b .x11 | ||||
| @ -543,6 +546,9 @@ popd | ||||
| %clean | ||||
| rm -rf $RPM_BUILD_ROOT | ||||
| 
 | ||||
| %pre | ||||
| getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : | ||||
| 
 | ||||
| %pre server | ||||
| getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : | ||||
| %if %{nologin} | ||||
| @ -577,7 +583,7 @@ fi | ||||
| %attr(0755,root,root) %{_bindir}/ssh-keygen | ||||
| %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* | ||||
| %attr(0755,root,root) %dir %{_libexecdir}/openssh | ||||
| %attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign | ||||
| %attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign | ||||
| %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* | ||||
| %endif | ||||
| %if %{scard} | ||||
| @ -661,6 +667,9 @@ fi | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Apr 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-27 + 0.9.2-30 | ||||
| - the private keys may be 640 root:ssh_keys ssh_keysign is sgid | ||||
| 
 | ||||
| * Wed Apr 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-26 + 0.9.2-30 | ||||
| - improving sshd -> passwd transation | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user