Use /usr/share/empty.ssh instead of /var/empty/sshd

This has the following advantages: * Removes a dependency on a directory stored in /var * /usr is mounted read only on ostree based systems (CoreOS, Silverblue) This also removes the tmpfiles config. Edit Jakub Jelen: Removed the version bump from PR https://src.fedoraproject.org/rpms/openssh/pull-request/14
2020-12-14 17:24:27 +01:00 · 2020-12-14 17:24:27 +01:00 · a886069993
commit a886069993
parent 1a45c5da8d
3 changed files with 6 additions and 11 deletions
--- a/openssh.rpmlintrc
+++ b/openssh.rpmlintrc
@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
 # sshd config and sysconfig is not supposed to be world readable
 addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
-# The /var/empty/sshd is supposed to have the given permissions
+# /usr/share/empty.sshd is required to have the given permissions
-addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
+addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711')
 addFilter(r'non-standard-dir-in-var empty')
 # Spelling false-positives
 addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
--- a/openssh.spec
+++ b/openssh.spec
@ -74,7 +74,6 @@ Source10: sshd.socket
 Source11: sshd.service
 Source12: sshd-keygen@.service
 Source13: sshd-keygen
 Source14: sshd.tmpfiles
 Source15: sshd-keygen.target
 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
@ -425,7 +424,7 @@ fi
 	--datadir=%{_datadir}/openssh \
 	--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
-	--with-privsep-path=%{_var}/empty/sshd \
+	--with-privsep-path=%{_datadir}/empty.sshd \
 	--disable-strip \
 	--without-zlib-version-check \
 	--with-ssl-engine \
@ -502,7 +501,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
 %make_install
 install -d $RPM_BUILD_ROOT/etc/pam.d/
@ -522,7 +520,7 @@ install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
+install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@ -553,7 +551,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
 getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
 getent passwd sshd >/dev/null || \
  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-  -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
 %post server
 %systemd_post sshd.service sshd.socket
@ -611,7 +609,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
 %files server
-%dir %attr(0711,root,root) %{_var}/empty/sshd
+%dir %attr(0711,root,root) %{_datadir}/empty.sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
@ -629,7 +627,6 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
 %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
 %files keycat
 %doc HOWTO.ssh-keycat
--- a/sshd.tmpfiles
+++ b/sshd.tmpfiles
@ -1 +0,0 @@
 d /var/empty/sshd 711 root root -