From 26c275d66ed66ddc954f477346454eaa94eec635 Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Fri, 2 Sep 2022 14:38:56 +0000 Subject: [PATCH] openssh: move users/groups creation logic to sysusers.d fragments See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation --- openssh-server-systemd-sysusers.conf | 2 ++ openssh-systemd-sysusers.conf | 2 ++ openssh.spec | 22 ++++++++++++---------- 3 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 openssh-server-systemd-sysusers.conf create mode 100644 openssh-systemd-sysusers.conf diff --git a/openssh-server-systemd-sysusers.conf b/openssh-server-systemd-sysusers.conf new file mode 100644 index 0000000..419c529 --- /dev/null +++ b/openssh-server-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd - diff --git a/openssh-systemd-sysusers.conf b/openssh-systemd-sysusers.conf new file mode 100644 index 0000000..1192c0b --- /dev/null +++ b/openssh-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g ssh_keys 101 diff --git a/openssh.spec b/openssh.spec index 8ed4034..8cced72 100644 --- a/openssh.spec +++ b/openssh.spec @@ -7,10 +7,6 @@ %global _hardened_build 1 -# OpenSSH privilege separation requires a user & group ID -%global sshd_uid 74 -%global sshd_gid 74 - # Do we want to disable building of gnome-askpass? (1=yes 0=no) %global no_gnome_askpass 0 @@ -51,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.0p1 -%global openssh_rel 3 +%global openssh_rel 4 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 7 @@ -76,6 +72,8 @@ Source12: sshd-keygen@.service Source13: sshd-keygen Source15: sshd-keygen.target Source16: ssh-agent.service +Source17: openssh-systemd-sysusers.conf +Source18: openssh-server-systemd-sysusers.conf #https://bugzilla.mindrot.org/show_bug.cgi?id=2581 Patch100: openssh-6.7p1-coverity.patch @@ -583,6 +581,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd +install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf +install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf %if ! %{no_gnome_askpass} install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass @@ -608,13 +608,10 @@ popd %endif %pre -getent group ssh_keys >/dev/null || groupadd -r -g 101 ssh_keys || : +%sysusers_create_compat %{SOURCE17} %pre server -getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : -getent passwd sshd >/dev/null || \ - useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ - -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || : +%sysusers_create_compat %{SOURCE18} %post server %systemd_post sshd.service sshd.socket @@ -652,6 +649,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%attr(0644,root,root) %{_sysusersdir}/openssh.conf %files clients %attr(0755,root,root) %{_bindir}/ssh @@ -697,6 +695,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.target +%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf %files keycat %doc HOWTO.ssh-keycat @@ -718,6 +717,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Sep 02 2022 Luca BRUNO - 9.0p1-4 +- Move users/groups creation logic to sysusers.d fragments + * Wed Aug 24 2022 Alexander Sosedkin - 9.0p1-3 - State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies