From 762e407bd587c26be99168b6982b9c7f6893af1e Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Jul 20 2006 11:06:42 +0000 Subject: - dropped old ssh obsoletes - call the pam_session_open/close from the monitor when privsep is enabled so it is always called as root (patch by Darren Tucker) --- diff --git a/openssh-4.3p2-pam-session.patch b/openssh-4.3p2-pam-session.patch new file mode 100644 index 0000000..7cdd90c --- /dev/null +++ b/openssh-4.3p2-pam-session.patch @@ -0,0 +1,91 @@ +Index: auth-pam.c +=================================================================== +RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v +retrieving revision 1.134 +diff -u -p -r1.134 auth-pam.c +--- auth-pam.c 15 May 2006 07:22:33 -0000 1.134 ++++ auth-pam.c 22 May 2006 08:50:59 -0000 +@@ -573,15 +573,17 @@ static struct pam_conv store_conv = { ss + void + sshpam_cleanup(void) + { +- debug("PAM: cleanup"); +- if (sshpam_handle == NULL) ++ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) + return; ++ debug("PAM: cleanup"); + pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { ++ debug("PAM: deleting credentials"); + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { ++ debug("PAM: closing session"); + pam_close_session(sshpam_handle, PAM_SILENT); + sshpam_session_open = 0; + } +Index: monitor.c +=================================================================== +RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v +retrieving revision 1.104 +diff -u -p -r1.104 monitor.c +--- monitor.c 21 May 2006 08:26:40 -0000 1.104 ++++ monitor.c 22 May 2006 08:37:58 -0000 +@@ -354,6 +354,10 @@ monitor_child_preauth(Authctxt *_authctx + MONITOR_REQ_PAM_ACCOUNT, &m); + authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); + buffer_free(&m); ++ if (authenticated) { ++ do_pam_session(); ++ do_pam_setcred(0); ++ } + } + #endif + } +@@ -1531,6 +1535,11 @@ mm_answer_term(int sock, Buffer *req) + /* The child is terminating */ + session_destroy_all(&mm_session_close); + ++#ifdef USE_PAM ++ if (options.use_pam) ++ sshpam_cleanup(); ++#endif ++ + while (waitpid(pmonitor->m_pid, &status, 0) == -1) + if (errno != EINTR) + exit(1); +Index: session.c +=================================================================== +RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v +retrieving revision 1.328 +diff -u -p -r1.328 session.c +--- session.c 4 May 2006 06:24:34 -0000 1.328 ++++ session.c 22 May 2006 08:14:24 -0000 +@@ -541,7 +541,7 @@ do_exec_pty(Session *s, const char *comm + ttyfd = s->ttyfd; + + #if defined(USE_PAM) +- if (options.use_pam) { ++ if (options.use_pam && !use_privsep) { + do_pam_set_tty(s->tty); + if (!use_privsep) + do_pam_setcred(1); +@@ -1284,7 +1284,7 @@ do_setusercontext(struct passwd *pw) + } + #endif + # ifdef USE_PAM +- if (options.use_pam) { ++ if (options.use_pam && !use_privsep) { + do_pam_session(); + do_pam_setcred(0); + } +@@ -1326,7 +1326,7 @@ do_setusercontext(struct passwd *pw) + * These will have been wiped by the above initgroups() call. + * Reestablish them here. + */ +- if (options.use_pam) { ++ if (options.use_pam && !use_privsep) { + do_pam_session(); + do_pam_setcred(0); + } diff --git a/openssh.spec b/openssh.spec index a59c465..3cded84 100644 --- a/openssh.spec +++ b/openssh.spec @@ -58,7 +58,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.3p2 -%define rel 6 +%define rel 7 %if %{rescue} %define %{rel}rescue %else @@ -92,11 +92,10 @@ Patch35: openssh-4.2p1-askpass-progress.patch Patch36: openssh-4.3p2-buffer-len.patch Patch37: openssh-4.3p2-configure-typo.patch Patch38: openssh-4.3p2-askpass-grab-info.patch +Patch39: openssh-4.3p2-pam-session.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot -Obsoletes: ssh -Provides: ssh %if %{nologin} Requires: /sbin/nologin %endif @@ -140,14 +139,10 @@ BuildRequires: xauth Summary: The OpenSSH client applications Requires: openssh = %{version}-%{release} Group: Applications/Internet -Obsoletes: ssh-clients -Provides: ssh-clients %package server Summary: The OpenSSH server daemon Group: System Environment/Daemons -Obsoletes: ssh-server -Provides: ssh-server Requires: openssh = %{version}-%{release} Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd @@ -157,8 +152,8 @@ Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so Summary: A passphrase dialog for OpenSSH and X Group: Applications/Internet Requires: openssh = %{version}-%{release} -Obsoletes: ssh-extras, openssh-askpass-gnome -Provides: ssh-extras, openssh-askpass-gnome +Obsoletes: openssh-askpass-gnome +Provides: openssh-askpass-gnome %description SSH (Secure SHell) is a program for logging into and executing @@ -225,6 +220,7 @@ an X11 passphrase dialog for OpenSSH. %patch36 -p0 -b .buffer-len %patch37 -p1 -b .typo %patch38 -p1 -b .grab-info +%patch39 -p0 -b .pam-session autoreconf @@ -466,6 +462,11 @@ fi %endif %changelog +* Thu Jul 20 2006 Tomas Mraz - 4.3p2-7 +- dropped old ssh obsoletes +- call the pam_session_open/close from the monitor when privsep is + enabled so it is always called as root (patch by Darren Tucker) + * Mon Jul 17 2006 Tomas Mraz - 4.3p2-6 - improve selinux patch (by Jan Kiszka) - upstream patch for buffer append space error (#191940)