From 411b9173794cc80a86b51e4196702feea945a770 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Wed, 23 Jun 2010 13:53:38 +0000 Subject: [PATCH] - sftp works in deviceless chroot again (broken from 5.5p1-3) --- openssh-5.5p1-stderr.patch | 204 ++++++++++++++++++++----------------- openssh.spec | 5 +- 2 files changed, 113 insertions(+), 96 deletions(-) diff --git a/openssh-5.5p1-stderr.patch b/openssh-5.5p1-stderr.patch index ef35d80..633d30e 100644 --- a/openssh-5.5p1-stderr.patch +++ b/openssh-5.5p1-stderr.patch @@ -1,6 +1,45 @@ +diff -up openssh-5.5p1/channels.c.stderr openssh-5.5p1/channels.c +--- openssh-5.5p1/channels.c.stderr 2010-06-23 15:20:30.000000000 +0200 ++++ openssh-5.5p1/channels.c 2010-06-23 15:23:06.000000000 +0200 +@@ -838,8 +838,9 @@ channel_pre_open(Channel *c, fd_set *rea + if (c->extended_usage == CHAN_EXTENDED_WRITE && + buffer_len(&c->extended) > 0) + FD_SET(c->efd, writeset); +- else if (!(c->flags & CHAN_EOF_SENT) && +- c->extended_usage == CHAN_EXTENDED_READ && ++ else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && ++ (c->extended_usage == CHAN_EXTENDED_READ || ++ c->extended_usage == CHAN_EXTENDED_IGNORE) && + buffer_len(&c->extended) < c->remote_window) + FD_SET(c->efd, readset); + } +@@ -1759,7 +1760,9 @@ channel_handle_efd(Channel *c, fd_set *r + buffer_consume(&c->extended, len); + c->local_consumed += len; + } +- } else if (c->extended_usage == CHAN_EXTENDED_READ && ++ } else if (c->efd != -1 && ++ (c->extended_usage == CHAN_EXTENDED_READ || ++ c->extended_usage == CHAN_EXTENDED_IGNORE) && + (c->detach_close || FD_ISSET(c->efd, readset))) { + len = read(c->efd, buf, sizeof(buf)); + debug2("channel %d: read %d from efd %d", +@@ -1772,7 +1775,11 @@ channel_handle_efd(Channel *c, fd_set *r + c->self, c->efd); + channel_close_fd(&c->efd); + } else { +- buffer_append(&c->extended, buf, len); ++ if (c->extended_usage == CHAN_EXTENDED_IGNORE) { ++ debug3("channel %d: discard efd", ++ c->self); ++ } else ++ buffer_append(&c->extended, buf, len); + } + } + } diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c ---- openssh-5.5p1/session.c.stderr 2010-04-26 10:35:35.000000000 +0200 -+++ openssh-5.5p1/session.c 2010-04-26 10:41:11.000000000 +0200 +--- openssh-5.5p1/session.c.stderr 2010-06-23 15:20:29.000000000 +0200 ++++ openssh-5.5p1/session.c 2010-06-23 15:23:55.000000000 +0200 @@ -47,6 +47,7 @@ #include @@ -9,7 +48,21 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c #include #ifdef HAVE_PATHS_H #include -@@ -447,6 +448,9 @@ do_exec_no_pty(Session *s, const char *c +@@ -104,7 +105,7 @@ + /* func */ + + Session *session_new(void); +-void session_set_fds(Session *, int, int, int, int); ++void session_set_fds(Session *, int, int, int, int, int); + void session_pty_cleanup(Session *); + void session_proctitle(Session *); + int session_setup_x11fwd(Session *); +@@ -443,10 +444,14 @@ int + do_exec_no_pty(Session *s, const char *command) + { + pid_t pid; ++ int ignore_fderr = 0; + #ifdef USE_PIPES int pin[2], pout[2], perr[2]; @@ -19,39 +72,21 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c /* Allocate pipes for communicating with the program. */ if (pipe(pin) < 0) { error("%s: pipe in: %.100s", __func__, strerror(errno)); -@@ -458,33 +462,59 @@ do_exec_no_pty(Session *s, const char *c - close(pin[1]); +@@ -459,32 +464,38 @@ do_exec_no_pty(Session *s, const char *c return -1; } -- if (pipe(perr) < 0) { + if (pipe(perr) < 0) { - error("%s: pipe err: %.100s", __func__, strerror(errno)); -- close(pin[0]); -- close(pin[1]); -- close(pout[0]); -- close(pout[1]); -- return -1; -+ if (s->is_subsystem) { -+ if ((perr[1] = open(_PATH_DEVNULL, O_WRONLY)) == -1) { -+ error("%s: open(%s): %s", __func__, _PATH_DEVNULL, -+ strerror(errno)); -+ close(pin[0]); -+ close(pin[1]); -+ close(pout[0]); -+ close(pout[1]); -+ return -1; -+ } -+ perr[0] = -1; -+ } else { -+ if (pipe(perr) < 0) { -+ error("%s: pipe err: %.100s", __func__, -+ strerror(errno)); -+ close(pin[0]); -+ close(pin[1]); -+ close(pout[0]); -+ close(pout[1]); -+ return -1; -+ } ++ error("%s: pipe err: %.100s", __func__, ++ strerror(errno)); + close(pin[0]); + close(pin[1]); + close(pout[0]); + close(pout[1]); + return -1; } ++ if (s->is_subsystem) ++ ignore_fderr = 1; #else int inout[2], err[2]; @@ -63,29 +98,16 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c error("%s: socketpair #1: %.100s", __func__, strerror(errno)); return -1; } -- if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { + if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { - error("%s: socketpair #2: %.100s", __func__, strerror(errno)); -- close(inout[0]); -- close(inout[1]); -- return -1; -+ if (s->is_subsystem) { -+ if ((err[0] = open(_PATH_DEVNULL, O_WRONLY)) == -1) { -+ error("%s: open(%s): %s", __func__, _PATH_DEVNULL, -+ strerror(errno)); -+ close(inout[0]); -+ close(inout[1]); -+ return -1; -+ } -+ err[1] = -1; -+ } else { -+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { -+ error("%s: socketpair #2: %.100s", __func__, -+ strerror(errno)); -+ close(inout[0]); -+ close(inout[1]); -+ return -1; -+ } ++ error("%s: socketpair #2: %.100s", __func__, ++ strerror(errno)); + close(inout[0]); + close(inout[1]); + return -1; } ++ if (s->is_subsystem) ++ ignore_fderr = 1; #endif - if (s == NULL) @@ -94,45 +116,7 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c session_proctitle(s); /* Fork the child. */ -@@ -496,13 +526,15 @@ do_exec_no_pty(Session *s, const char *c - close(pin[1]); - close(pout[0]); - close(pout[1]); -- close(perr[0]); -+ if (perr[0] != -1) -+ close(perr[0]); - close(perr[1]); - #else - close(inout[0]); - close(inout[1]); - close(err[0]); -- close(err[1]); -+ if (err[1] != -1) -+ close(err[1]); - #endif - return -1; - case 0: -@@ -536,7 +568,8 @@ do_exec_no_pty(Session *s, const char *c - close(pout[1]); - - /* Redirect stderr. */ -- close(perr[0]); -+ if (perr[0] != -1) -+ close(perr[0]); - if (dup2(perr[1], 2) < 0) - perror("dup2 stderr"); - close(perr[1]); -@@ -547,7 +580,8 @@ do_exec_no_pty(Session *s, const char *c - * seem to depend on it. - */ - close(inout[1]); -- close(err[1]); -+ if (err[1] != -1) -+ close(err[1]); - if (dup2(inout[0], 0) < 0) /* stdin */ - perror("dup2 stdin"); - if (dup2(inout[0], 1) < 0) /* stdout (same as stdin) */ -@@ -595,10 +629,6 @@ do_exec_no_pty(Session *s, const char *c +@@ -595,11 +606,7 @@ do_exec_no_pty(Session *s, const char *c close(perr[1]); if (compat20) { @@ -140,10 +124,12 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c - close(perr[0]); - perr[0] = -1; - } - session_set_fds(s, pin[1], pout[0], perr[0], 0); +- session_set_fds(s, pin[1], pout[0], perr[0], 0); ++ session_set_fds(s, pin[1], pout[0], perr[0], ignore_fderr, 0); } else { /* Enter the interactive session. */ -@@ -615,10 +645,7 @@ do_exec_no_pty(Session *s, const char *c + server_loop(pid, pin[1], pout[0], perr[0]); +@@ -615,10 +622,7 @@ do_exec_no_pty(Session *s, const char *c * handle the case that fdin and fdout are the same. */ if (compat20) { @@ -151,7 +137,35 @@ diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c - s->is_subsystem ? -1 : err[1], 0); - if (s->is_subsystem) - close(err[1]); -+ session_set_fds(s, inout[1], inout[1], err[1], 0); ++ session_set_fds(s, inout[1], inout[1], err[1], ignore_fderr, 0); } else { server_loop(pid, inout[1], inout[1], err[1]); /* server_loop has closed inout[1] and err[1]. */ +@@ -740,7 +744,7 @@ do_exec_pty(Session *s, const char *comm + s->ptymaster = ptymaster; + packet_set_interactive(1); + if (compat20) { +- session_set_fds(s, ptyfd, fdout, -1, 1); ++ session_set_fds(s, ptyfd, fdout, -1, 1, 1); + } else { + server_loop(pid, ptyfd, fdout, -1); + /* server_loop _has_ closed ptyfd and fdout. */ +@@ -2321,7 +2325,8 @@ session_input_channel_req(Channel *c, co + } + + void +-session_set_fds(Session *s, int fdin, int fdout, int fderr, int is_tty) ++session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr, ++ int is_tty) + { + if (!compat20) + fatal("session_set_fds: called for proto != 2.0"); +@@ -2333,7 +2338,7 @@ session_set_fds(Session *s, int fdin, in + fatal("no channel for session %d", s->self); + channel_set_fds(s->chanid, + fdout, fdin, fderr, +- fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, ++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, CHAN_SES_WINDOW_DEFAULT); + } + diff --git a/openssh.spec b/openssh.spec index 5970f29..2fcb39b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -70,7 +70,7 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_rel 13 +%define openssh_rel 14 %define openssh_ver 5.5p1 %define pam_ssh_agent_rel 26 %define pam_ssh_agent_ver 0.9.2 @@ -584,6 +584,9 @@ fi %endif %changelog +* Wed Jun 23 2010 Jan F. Chadima - 5.5p1-14 + 0.9.2-26 +- sftp works in deviceless chroot again (broken from 5.5p1-3) + * Tue Jun 8 2010 Jan F. Chadima - 5.5p1-13 + 0.9.2-26 - add option to switch out krb5_kuserok