- fix logging after chroot
- enable non root users to use chroot %h in internal-sftp
This commit is contained in:
parent
0f07b4ad95
commit
061e214116
@ -15,15 +15,32 @@ diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c
|
||||
diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
|
||||
--- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200
|
||||
+++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200
|
||||
@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
|
||||
@@ -45,6 +45,7 @@
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
@@ -56,6 +57,7 @@
|
||||
static int log_on_stderr = 1;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
+static int log_fd_keep;
|
||||
+int log_fd_keep = 0;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt,
|
||||
@@ -310,6 +312,8 @@
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ if (log_fd_keep != 0)
|
||||
+ return;
|
||||
/*
|
||||
* If an external library (eg libwrap) attempts to use syslog
|
||||
* immediately after reexec, syslog may be pointing to the wrong
|
||||
@@ -392,10 +396,33 @@
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
@ -42,16 +59,58 @@ diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
|
||||
+void
|
||||
+open_log(void)
|
||||
+{
|
||||
+ int temp1, temp2;
|
||||
+
|
||||
+ temp1 = open("/dev/null", O_RDONLY);
|
||||
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
|
||||
+ log_fd_keep = 1;
|
||||
+ temp2 = open("/dev/null", O_RDONLY);
|
||||
+ if (temp1 + 2 == temp2)
|
||||
+ log_fd_keep = temp1 + 1;
|
||||
+ else
|
||||
+ log_fd_keep = -1;
|
||||
+
|
||||
+ if (temp1 != -1)
|
||||
+ close(temp1);
|
||||
+ if (temp2 != -1)
|
||||
+ close(temp2);
|
||||
+}
|
||||
diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h
|
||||
--- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200
|
||||
+++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200
|
||||
@@ -66,4 +66,6 @@ void debug3(const char *, ...) __att
|
||||
@@ -46,6 +46,9 @@
|
||||
SYSLOG_LEVEL_NOT_SET = -1
|
||||
} LogLevel;
|
||||
|
||||
+
|
||||
+extern int log_fd_keep;
|
||||
+
|
||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
||||
|
||||
SyslogFacility log_facility_number(char *);
|
||||
@@ -66,4 +69,6 @@
|
||||
|
||||
void do_log(LogLevel, const char *, va_list);
|
||||
void cleanup_exit(int) __attribute__((noreturn));
|
||||
+
|
||||
+void open_log(void);
|
||||
#endif
|
||||
--- openssh-5.2p1/session.c. 2009-03-20 18:32:01.004151364 +0100
|
||||
+++ openssh-5.2p1/session.c 2009-03-20 19:00:28.328742384 +0100
|
||||
@@ -1445,6 +1456,7 @@
|
||||
if (chdir(path) == -1)
|
||||
fatal("Unable to chdir to chroot path \"%s\": "
|
||||
"%s", path, strerror(errno));
|
||||
+ open_log ();
|
||||
if (chroot(path) == -1)
|
||||
fatal("chroot(\"%s\"): %s", path, strerror(errno));
|
||||
if (chdir("/") == -1)
|
||||
@@ -1632,7 +1644,8 @@
|
||||
* descriptors open.
|
||||
*/
|
||||
for (i = 3; i < 64; i++)
|
||||
- close(i);
|
||||
+ if (i != log_fd_keep)
|
||||
+ close(i);
|
||||
}
|
||||
|
||||
/*
|
||||
|
28
openssh-5.2p1-homechroot.patch
Normal file
28
openssh-5.2p1-homechroot.patch
Normal file
@ -0,0 +1,28 @@
|
||||
--- openssh-5.2p1/session.c 2009-03-20 18:08:11.263662384 +0100
|
||||
+++ openssh-5.2p1/session.c 2009-03-20 18:26:29.925498409 +0100
|
||||
@@ -1408,6 +1408,7 @@
|
||||
const char *cp;
|
||||
char component[MAXPATHLEN];
|
||||
struct stat st;
|
||||
+ int last;
|
||||
|
||||
if (*path != '/')
|
||||
fatal("chroot path does not begin at root");
|
||||
@@ -1419,7 +1420,7 @@
|
||||
* root-owned directory with strict permissions.
|
||||
*/
|
||||
for (cp = path; cp != NULL;) {
|
||||
- if ((cp = strchr(cp, '/')) == NULL)
|
||||
+ if (((last = ((cp = strchr(cp, '/')) == NULL))))
|
||||
strlcpy(component, path, sizeof(component));
|
||||
else {
|
||||
cp++;
|
||||
@@ -1432,7 +1433,7 @@
|
||||
if (stat(component, &st) != 0)
|
||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
component, strerror(errno));
|
||||
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
||||
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
||||
fatal("bad ownership or modes for chroot "
|
||||
"directory %s\"%s\"",
|
||||
cp == NULL ? "" : "component ", component);
|
@ -63,7 +63,7 @@
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 5.2p1
|
||||
Release: 2%{?dist}%{?rescue_rel}
|
||||
Release: 3%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
@ -97,6 +97,7 @@ Patch54: openssh-5.1p1-gssapi-role.patch
|
||||
Patch55: openssh-5.1p1-cloexec.patch
|
||||
Patch62: openssh-5.1p1-scp-manpage.patch
|
||||
Patch65: openssh-5.2p1-fips.patch
|
||||
Patch66: openssh-5.2p1-homechroot.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -228,6 +229,7 @@ an X11 passphrase dialog for OpenSSH.
|
||||
%patch55 -p1 -b .cloexec
|
||||
%patch62 -p1 -b .manpage
|
||||
%patch65 -p1 -b .fips
|
||||
%patch66 -p1 -b .homechroot
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -472,6 +474,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-3
|
||||
- fix logging after chroot
|
||||
- enable non root users to use chroot %h in internal-sftp
|
||||
|
||||
* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2
|
||||
- add AES-CTR ciphers to the FIPS mode proposal
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user