Move users/groups creation logic to sysusers.d fragments
Resolves: RHEL-5222
This commit is contained in:
parent
a43be164ec
commit
5838d35972
2
openssh-server-systemd-sysusers.conf
Normal file
2
openssh-server-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd -
|
2
openssh-systemd-sysusers.conf
Normal file
2
openssh-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
||||
#Type Name ID
|
||||
g ssh_keys 101
|
19
openssh.spec
19
openssh.spec
@ -7,10 +7,6 @@
|
||||
|
||||
%global _hardened_build 1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%global sshd_uid 74
|
||||
%global sshd_gid 74
|
||||
|
||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||
%global no_gnome_askpass 0
|
||||
|
||||
@ -76,6 +72,8 @@ Source12: sshd-keygen@.service
|
||||
Source13: sshd-keygen
|
||||
Source15: sshd-keygen.target
|
||||
Source16: ssh-agent.service
|
||||
Source17: openssh-systemd-sysusers.conf
|
||||
Source18: openssh-server-systemd-sysusers.conf
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||
Patch100: openssh-6.7p1-coverity.patch
|
||||
@ -652,6 +650,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||
install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf
|
||||
install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
@ -680,13 +680,10 @@ install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/
|
||||
install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest
|
||||
|
||||
%pre
|
||||
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
||||
%sysusers_create_compat %{SOURCE17}
|
||||
|
||||
%pre server
|
||||
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
||||
getent passwd sshd >/dev/null || \
|
||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
||||
-s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
|
||||
%sysusers_create_compat %{SOURCE18}
|
||||
|
||||
%post server
|
||||
%systemd_post sshd.service sshd.socket
|
||||
@ -724,6 +721,7 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
%attr(0644,root,root) %{_sysusersdir}/openssh.conf
|
||||
|
||||
%files clients
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
@ -769,6 +767,7 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
|
||||
|
||||
%files keycat
|
||||
%doc HOWTO.ssh-keycat
|
||||
@ -798,6 +797,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
Resolves: RHEL-4734
|
||||
- Limit artificial delays in sshd while login using AD user
|
||||
Resolves: RHEL-2469
|
||||
- Move users/groups creation logic to sysusers.d fragments
|
||||
Resolves: RHEL-5222
|
||||
|
||||
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
||||
- Avoid remote code execution in ssh-agent PKCS#11 support
|
||||
|
Loading…
Reference in New Issue
Block a user