openssh: move users/groups creation logic to sysusers.d fragments
See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
This commit is contained in:
parent
42b22d9ad2
commit
26c275d66e
2
openssh-server-systemd-sysusers.conf
Normal file
2
openssh-server-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
#Type Name ID GECOS Home directory Shell
|
||||||
|
u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd -
|
2
openssh-systemd-sysusers.conf
Normal file
2
openssh-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
#Type Name ID
|
||||||
|
g ssh_keys 101
|
22
openssh.spec
22
openssh.spec
@ -7,10 +7,6 @@
|
|||||||
|
|
||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
|
|
||||||
# OpenSSH privilege separation requires a user & group ID
|
|
||||||
%global sshd_uid 74
|
|
||||||
%global sshd_gid 74
|
|
||||||
|
|
||||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||||
%global no_gnome_askpass 0
|
%global no_gnome_askpass 0
|
||||||
|
|
||||||
@ -51,7 +47,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 9.0p1
|
%global openssh_ver 9.0p1
|
||||||
%global openssh_rel 3
|
%global openssh_rel 4
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 7
|
%global pam_ssh_agent_rel 7
|
||||||
|
|
||||||
@ -76,6 +72,8 @@ Source12: sshd-keygen@.service
|
|||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
Source15: sshd-keygen.target
|
Source15: sshd-keygen.target
|
||||||
Source16: ssh-agent.service
|
Source16: ssh-agent.service
|
||||||
|
Source17: openssh-systemd-sysusers.conf
|
||||||
|
Source18: openssh-server-systemd-sysusers.conf
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
@ -583,6 +581,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
|||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||||
|
install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf
|
||||||
|
install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
@ -608,13 +608,10 @@ popd
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group ssh_keys >/dev/null || groupadd -r -g 101 ssh_keys || :
|
%sysusers_create_compat %{SOURCE17}
|
||||||
|
|
||||||
%pre server
|
%pre server
|
||||||
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
%sysusers_create_compat %{SOURCE18}
|
||||||
getent passwd sshd >/dev/null || \
|
|
||||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
|
||||||
-s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
|
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
@ -652,6 +649,7 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||||
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
|
%attr(0644,root,root) %{_sysusersdir}/openssh.conf
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
@ -697,6 +695,7 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||||
|
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
|
||||||
|
|
||||||
%files keycat
|
%files keycat
|
||||||
%doc HOWTO.ssh-keycat
|
%doc HOWTO.ssh-keycat
|
||||||
@ -718,6 +717,9 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 02 2022 Luca BRUNO <lucab@lucabruno.net> - 9.0p1-4
|
||||||
|
- Move users/groups creation logic to sysusers.d fragments
|
||||||
|
|
||||||
* Wed Aug 24 2022 Alexander Sosedkin <asosedkin@redhat.com> - 9.0p1-3
|
* Wed Aug 24 2022 Alexander Sosedkin <asosedkin@redhat.com> - 9.0p1-3
|
||||||
- State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies
|
- State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user