diff --git a/openssh-7.2p2-chroot-capabilities.patch b/openssh-7.2p2-chroot-capabilities.patch deleted file mode 100644 index ea71cb9..0000000 --- a/openssh-7.2p2-chroot-capabilities.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index aeef42a..d01e67e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4998,6 +4998,37 @@ if test -n "$conf_lastlog_location"; then - [Define if you want to specify the path to your lastlog file]) - fi - -+AC_ARG_WITH(libcap-ng, -+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, -+ with_libcap_ng=auto) -+ -+dnl libcap-ng detection -+if test x$with_libcap_ng = xno ; then -+ have_libcap_ng=no; -+else -+ # Start by checking for header file -+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) -+ -+ # See if we have libcap-ng library -+ AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,) -+ -+ # Check results are usable -+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then -+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found) -+ fi -+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then -+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing) -+ fi -+fi -+AC_MSG_CHECKING(whether to use libcap-ng) -+if test x$CAPNG_LDADD != x ; then -+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) -+ SSHDLIBS="$SSHDLIBS -lcap-ng" -+ AC_MSG_RESULT(yes) -+else -+ AC_MSG_RESULT(no) -+fi -+ - dnl utmp detection - AC_MSG_CHECKING([if your system defines UTMP_FILE]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -diff --git a/session.c b/session.c -index 6cfcba4..80d2806 100644 ---- a/session.c -+++ b/session.c -@@ -96,6 +96,10 @@ - #include "monitor_wrap.h" - #include "sftp.h" - -+#ifdef HAVE_LIBCAP_NG -+#include -+#endif -+ - #if defined(KRB5) && defined(USE_AFS) - #include - #endif -@@ -1586,6 +1590,7 @@ void - do_setusercontext(struct passwd *pw) - { - char *chroot_path, *tmp; -+ int dropped_suid = -1; - - platform_setusercontext(pw); - -@@ -1619,10 +1624,25 @@ do_setusercontext(struct passwd *pw) - pw->pw_uid); - chroot_path = percent_expand(tmp, "h", pw->pw_dir, - "u", pw->pw_name, (char *)NULL); -+#ifdef HAVE_LIBCAP_NG -+ /* drop suid soon, retain SYS_CHROOT capability */ -+ capng_clear(CAPNG_SELECT_BOTH); -+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT); -+ if (pw->pw_uid != 0 && -+ (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP)) != 0) -+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid); -+#endif - #ifdef WITH_SELINUX - sshd_selinux_copy_context(); - #endif - safely_chroot(chroot_path, pw->pw_uid); -+#ifdef HAVE_LIBCAP_NG -+ /* Drop chroot capability. Already used */ -+ if (dropped_suid == 0) { -+ capng_clear(CAPNG_SELECT_BOTH); -+ capng_apply(CAPNG_SELECT_BOTH); -+ } -+#endif - free(tmp); - free(chroot_path); - /* Make sure we don't attempt to chroot again */ -@@ -1654,8 +1673,9 @@ do_setusercontext(struct passwd *pw) - if (!in_chroot && set_id(pw->pw_name) != 0) - fatal("set_id(%s) Failed", pw->pw_name); - # endif /* USE_LIBIAF */ -- /* Permanently switch to the desired uid. */ -- permanently_set_uid(pw); -+ /* Permanently switch to the desired uid if not yet done. */ -+ if (dropped_suid != 0) -+ permanently_set_uid(pw); - #endif - - #ifdef WITH_SELINUX diff --git a/openssh.spec b/openssh.spec index 5b95119..d2aec1c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -222,8 +222,6 @@ Patch939: openssh-7.2p2-s390-closefrom.patch # expose more information to PAM # https://github.com/openssh/openssh-portable/pull/47 Patch940: openssh-7.2p2-expose-pam.patch -# Rework SELinux context handling with chroot (#1357860) -Patch942: openssh-7.2p2-chroot-capabilities.patch # Move MAX_DISPLAYS to a configuration option (#1341302) Patch944: openssh-7.3p1-x11-max-displays.patch # Help systemd to track the running service @@ -259,7 +257,6 @@ BuildRequires: tcp_wrappers-devel BuildRequires: fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j BuildRequires: perl-podlators -BuildRequires: libcap-ng-devel BuildRequires: systemd-devel %if %{kerberos5} @@ -462,7 +459,6 @@ popd %patch933 -p1 -b .fingerprint %patch939 -p1 -b .s390-dev %patch940 -p1 -b .expose-pam -%patch942 -p1 -b .chroot-cap %patch944 -p1 -b .x11max %patch948 -p1 -b .systemd %patch949 -p1 -b .sandbox