rpms/openssh/devel openssh-5.2p1-selinux.patch, 1.3, 1.4 openssh-5.2p1-sesftp.patch, 1.6, 1.7 openssh.spec, 1.159, 1.160
Jan F. Chadima
jfch2222 at fedoraproject.org
Mon Aug 31 12:38:20 UTC 2009
- Previous message (by thread): rpms/parted/devel parted-1.9.0-commit-without-close.patch, NONE, 1.1 parted-1.9.0-dont-touch-part-nodes.patch, NONE, 1.1 parted-1.9.0-no-BLKPG.patch, NONE, 1.1 parted.spec, 1.147, 1.148
- Next message (by thread): rpms/openssh/devel openssh.spec,1.160,1.161
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19829
Modified Files:
openssh-5.2p1-selinux.patch openssh-5.2p1-sesftp.patch
openssh.spec
Log Message:
Upstream convergence
openssh-5.2p1-selinux.patch:
auth.h | 3 +++
auth1.c | 17 +++++++++++++++++
auth2-gss.c | 11 ++++++++++-
auth2-hostbased.c | 10 +++++++++-
auth2-pubkey.c | 10 +++++++++-
auth2.c | 17 ++++++++++++++++-
configure.ac | 1 +
monitor.c | 36 ++++++++++++++++++++++++++++++++++--
monitor.h | 3 +++
monitor_wrap.c | 19 +++++++++++++++++++
monitor_wrap.h | 3 +++
openbsd-compat/port-linux.c | 32 +++++++++++++++++++++++++-------
12 files changed, 149 insertions(+), 13 deletions(-)
Index: openssh-5.2p1-selinux.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-selinux.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- openssh-5.2p1-selinux.patch 28 Aug 2009 21:46:27 -0000 1.3
+++ openssh-5.2p1-selinux.patch 31 Aug 2009 12:38:20 -0000 1.4
@@ -1,116 +1,301 @@
-diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
---- openssh-5.2p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200
-+++ openssh-5.2p1/configure.ac 2008-07-23 16:32:13.000000000 +0200
-@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux,
- AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
- AC_MSG_ERROR(SELinux support requires libselinux library))
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
-+ LIBS="$LIBS $LIBSELINUX"
- AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
- LIBS="$save_LIBS"
- fi ]
diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
---- openssh-5.2p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200
-+++ openssh-5.2p1/auth1.c 2008-07-23 16:32:13.000000000 +0200
-@@ -391,7 +391,7 @@ void
- do_authentication(Authctxt *authctxt)
+--- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200
++++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200
+@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
-- char *user, *style = NULL;
-+ char *user, *style = NULL, *role=NULL;
+ char *user, *style = NULL;
++#ifdef WITH_SELINUX
++ char *role=NULL;
++#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
-@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt)
+@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen);
packet_check_eom();
++#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
++#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
++#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
++#endif
+
authctxt->user = user;
authctxt->style = style;
++#ifdef WITH_SELINUX
+ authctxt->role = role;
++#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
+--- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100
++++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200
+@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
+ Authctxt *authctxt = ctxt;
+ Authmethod *m = NULL;
+ char *user, *service, *method, *style = NULL;
++#ifdef WITH_SELINUX
++ char *role = NULL;
++#endif
+ int authenticated = 0;
+
+ if (authctxt == NULL)
+@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
+ debug("userauth-request for user %s service %s method %s", user, service, method);
+ debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+
++#ifdef WITH_SELINUX
++ if ((role = strchr(user, '/')) != NULL)
++ *role++ = 0;
++#endif
++
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
+@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
+ use_privsep ? " [net]" : "");
+ authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL;
+- if (use_privsep)
++#ifdef WITH_SELINUX
++ authctxt->role = role ? xstrdup(role) : NULL;
++#endif
++ if (use_privsep) {
+ mm_inform_authserv(service, style);
++#ifdef WITH_SELINUX
++ mm_inform_authrole(role);
++#endif
++ }
+ userauth_banner();
+ } else if (strcmp(user, authctxt->user) != 0 ||
+ strcmp(service, authctxt->service) != 0) {
+diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
+--- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
++++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200
+@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
+ Authctxt *authctxt = ctxt;
+ Gssctxt *gssctxt;
+ int authenticated = 0;
++ char *micuser;
+ Buffer b;
+ gss_buffer_desc mic, gssbuf;
+ u_int len;
+@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
+ mic.value = packet_get_string(&len);
+ mic.length = len;
+
+- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
++#ifdef WITH_SELINUX
++ if (authctxt->role && (strlen(authctxt->role) > 0))
++ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
++ else
++#endif
++ micuser = authctxt->user;
++ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
+ "gssapi-with-mic");
+
+ gssbuf.value = buffer_ptr(&b);
+@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
+ logit("GSSAPI MIC check failed");
+
+ buffer_free(&b);
++ if (micuser != authctxt->user)
++ xfree(micuser);
+ xfree(mic.value);
+
+ authctxt->postponed = 0;
+diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
+--- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
++++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200
+@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
+ buffer_put_string(&b, session_id2, session_id2_len);
+ /* reconstruct packet */
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+- buffer_put_cstring(&b, authctxt->user);
++#ifdef WITH_SELINUX
++ if (authctxt->role) {
++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
++ buffer_append(&b, authctxt->user, strlen(authctxt->user));
++ buffer_put_char(&b, '/');
++ buffer_append(&b, authctxt->role, strlen(authctxt->role));
++ } else
++#endif
++ buffer_put_cstring(&b, authctxt->user);
+ buffer_put_cstring(&b, service);
+ buffer_put_cstring(&b, "hostbased");
+ buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
--- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200
-+++ openssh-5.2p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200
-@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt)
++++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200
+@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
++#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
-+ } else {
++ } else
++#endif
+ buffer_put_cstring(&b, authctxt->user);
-+ }
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
-diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
---- openssh-5.2p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.2p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200
-@@ -41,6 +41,7 @@ int mm_is_monitor(void);
- DH *mm_choose_dh(int, int, int);
- int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
- void mm_inform_authserv(char *, char *);
-+void mm_inform_authrole(char *);
- struct passwd *mm_getpwnamallow(const char *);
- char *mm_auth2_read_banner(void);
- int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
---- openssh-5.2p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
-+++ openssh-5.2p1/monitor.h 2008-07-23 16:32:13.000000000 +0200
-@@ -30,7 +30,7 @@
+diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
+--- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100
++++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200
+@@ -58,6 +58,9 @@ struct Authctxt {
+ char *service;
+ struct passwd *pw; /* set if 'valid' */
+ char *style;
++#ifdef WITH_SELINUX
++ char *role;
++#endif
+ void *kbdintctxt;
+ void *jpake_ctx;
+ #ifdef BSD_AUTH
+diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
+--- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100
++++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200
+@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux,
+ AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
+ AC_MSG_ERROR(SELinux support requires libselinux library))
+ SSHDLIBS="$SSHDLIBS $LIBSELINUX"
++ LIBS="$LIBS $LIBSELINUX"
+ AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ LIBS="$save_LIBS"
+ fi ]
+diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
+--- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100
++++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200
+@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *);
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
++#ifdef WITH_SELINUX
++int mm_answer_authrole(int, Buffer *);
++#endif
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[]
+ {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
++#ifdef WITH_SELINUX
++ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
++#endif
+ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+ {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+ else {
+ /* Allow service/style information on the auth context */
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
++#ifdef WITH_SELINUX
++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
++#endif
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ }
+
+@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m)
+ return (0);
+ }
+
++#ifdef WITH_SELINUX
++int
++mm_answer_authrole(int sock, Buffer *m)
++{
++ monitor_permit_authentications(1);
++
++ authctxt->role = buffer_get_string(m, NULL);
++ debug3("%s: role=%s",
++ __func__, authctxt->role);
++
++ if (strlen(authctxt->role) == 0) {
++ xfree(authctxt->role);
++ authctxt->role = NULL;
++ }
++
++ return (0);
++}
++#endif
++
+ int
+ mm_answer_authpassword(int sock, Buffer *m)
+ {
+@@ -1102,7 +1130,7 @@ static int
+ monitor_valid_userblob(u_char *data, u_int datalen)
+ {
+ Buffer b;
+- char *p;
++ char *p, *r;
+ u_int len;
+ int fail = 0;
+@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i
+ if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+ fail++;
+ p = buffer_get_string(&b, NULL);
++ if ((r = strchr(p, '/')) != NULL)
++ *r = '\0';
+ if (strcmp(authctxt->user, p) != 0) {
+ logit("wrong user name passed to monitor: expected %s != %.100s",
+ authctxt->user, p);
+@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data
+ char *chost)
+ {
+ Buffer b;
+- char *p;
++ char *p, *r;
+ u_int len;
+ int fail = 0;
+
+@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data
+ if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+ fail++;
+ p = buffer_get_string(&b, NULL);
++ if ((r = strchr(p, '/')) != NULL)
++ *r = '\0';
+ if (strcmp(authctxt->user, p) != 0) {
+ logit("wrong user name passed to monitor: expected %s != %.100s",
+ authctxt->user, p);
+diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
+--- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
++++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200
+@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
-+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
++#ifdef WITH_SELINUX
++ MONITOR_REQ_AUTHROLE,
++#endif
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
---- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
-+++ openssh-5.2p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200
-@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt)
- buffer_put_string(&b, session_id2, session_id2_len);
- /* reconstruct packet */
- buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-- buffer_put_cstring(&b, authctxt->user);
-+ if (authctxt->role) {
-+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
-+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
-+ buffer_put_char(&b, '/');
-+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
-+ } else {
-+ buffer_put_cstring(&b, authctxt->user);
-+ }
- buffer_put_cstring(&b, service);
- buffer_put_cstring(&b, "hostbased");
- buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
---- openssh-5.2p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200
-+++ openssh-5.2p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200
-@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char *
+--- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100
++++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200
+@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
++#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
@@ -125,13 +310,27 @@ diff -up openssh-5.2p1/monitor_wrap.c.se
+
+ buffer_free(&m);
+}
++#endif
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
+diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
+--- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100
++++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200
+@@ -41,6 +41,9 @@ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+ void mm_inform_authserv(char *, char *);
++#ifdef WITH_SELINUX
++void mm_inform_authrole(char *);
++#endif
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100
-+++ openssh-5.2p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200
++++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200
@@ -30,11 +30,16 @@
#ifdef WITH_SELINUX
#include "log.h"
@@ -193,169 +392,3 @@ diff -up openssh-5.2p1/openbsd-compat/po
if (r != 0) {
switch (security_getenforce()) {
-diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
---- openssh-5.2p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200
-+++ openssh-5.2p1/auth.h 2008-07-23 16:32:13.000000000 +0200
-@@ -58,6 +58,7 @@ struct Authctxt {
- char *service;
- struct passwd *pw; /* set if 'valid' */
- char *style;
-+ char *role;
- void *kbdintctxt;
- void *jpake_ctx;
- #ifdef BSD_AUTH
-diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
---- openssh-5.2p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200
-+++ openssh-5.2p1/auth2.c 2008-07-23 16:32:13.000000000 +0200
-@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32
- {
- Authctxt *authctxt = ctxt;
- Authmethod *m = NULL;
-- char *user, *service, *method, *style = NULL;
-+ char *user, *service, *method, *style = NULL, *role = NULL;
- int authenticated = 0;
-
- if (authctxt == NULL)
-@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
- debug("userauth-request for user %s service %s method %s", user, service, method);
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
-+ if ((role = strchr(user, '/')) != NULL)
-+ *role++ = 0;
-+
- if ((style = strchr(user, ':')) != NULL)
- *style++ = 0;
-
-@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32
- use_privsep ? " [net]" : "");
- authctxt->service = xstrdup(service);
- authctxt->style = style ? xstrdup(style) : NULL;
-- if (use_privsep)
-+ authctxt->role = role ? xstrdup(role) : NULL;
-+ if (use_privsep) {
- mm_inform_authserv(service, style);
-+ mm_inform_authrole(role);
-+ }
- userauth_banner();
- } else if (strcmp(user, authctxt->user) != 0 ||
- strcmp(service, authctxt->service) != 0) {
-diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
---- openssh-5.2p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200
-+++ openssh-5.2p1/monitor.c 2008-07-23 16:36:10.000000000 +0200
-@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *);
- int mm_answer_pwnamallow(int, Buffer *);
- int mm_answer_auth2_read_banner(int, Buffer *);
- int mm_answer_authserv(int, Buffer *);
-+int mm_answer_authrole(int, Buffer *);
- int mm_answer_authpassword(int, Buffer *);
- int mm_answer_bsdauthquery(int, Buffer *);
- int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[]
- {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
- {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
- {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
- {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
- {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
- #ifdef USE_PAM
-@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
- else {
- /* Allow service/style information on the auth context */
- monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
-+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
- }
-
-@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m)
- }
-
- int
-+mm_answer_authrole(int sock, Buffer *m)
-+{
-+ monitor_permit_authentications(1);
-+
-+ authctxt->role = buffer_get_string(m, NULL);
-+ debug3("%s: role=%s",
-+ __func__, authctxt->role);
-+
-+ if (strlen(authctxt->role) == 0) {
-+ xfree(authctxt->role);
-+ authctxt->role = NULL;
-+ }
-+
-+ return (0);
-+}
-+
-+int
- mm_answer_authpassword(int sock, Buffer *m)
- {
- static int call_count;
-@@ -1080,7 +1100,7 @@ static int
- monitor_valid_userblob(u_char *data, u_int datalen)
- {
- Buffer b;
-- char *p;
-+ char *p, *r;
- u_int len;
- int fail = 0;
-
-@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i
- if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
- fail++;
- p = buffer_get_string(&b, NULL);
-+ if ((r = strchr(p, '/')) != NULL)
-+ *r = '\0';
- if (strcmp(authctxt->user, p) != 0) {
- logit("wrong user name passed to monitor: expected %s != %.100s",
- authctxt->user, p);
-@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data
- char *chost)
- {
- Buffer b;
-- char *p;
-+ char *p, *r;
- u_int len;
- int fail = 0;
-
-@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data
- if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
- fail++;
- p = buffer_get_string(&b, NULL);
-+ if ((r = strchr(p, '/')) != NULL)
-+ *r = '\0';
- if (strcmp(authctxt->user, p) != 0) {
- logit("wrong user name passed to monitor: expected %s != %.100s",
- authctxt->user, p);
-diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c
---- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100
-+++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200
-@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
- Authctxt *authctxt = ctxt;
- Gssctxt *gssctxt;
- int authenticated = 0;
-+ char *micuser;
- Buffer b;
- gss_buffer_desc mic, gssbuf;
- u_int len;
-@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple
- mic.value = packet_get_string(&len);
- mic.length = len;
-
-- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-+ if (authctxt->role && (strlen(authctxt->role) > 0))
-+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
-+ else
-+ micuser = authctxt->user;
-+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
- "gssapi-with-mic");
-
- gssbuf.value = buffer_ptr(&b);
-@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
- logit("GSSAPI MIC check failed");
-
- buffer_free(&b);
-+ if (micuser != authctxt->user)
-+ xfree(micuser);
- xfree(mic.value);
-
- authctxt->postponed = 0;
openssh-5.2p1-sesftp.patch:
openbsd-compat/port-linux.c | 32 ++++++++++++++++++++++++++++++++
openbsd-compat/port-linux.h | 1 +
session.c | 3 +++
3 files changed, 36 insertions(+)
Index: openssh-5.2p1-sesftp.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-sesftp.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- openssh-5.2p1-sesftp.patch 28 Aug 2009 22:43:53 -0000 1.6
+++ openssh-5.2p1-sesftp.patch 31 Aug 2009 12:38:20 -0000 1.7
@@ -1,67 +1,64 @@
-diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
---- openssh-5.2p1/session.c.sesftp 2009-08-09 10:21:11.586827446 +0200
-+++ openssh-5.2p1/session.c 2009-08-09 10:39:30.475622699 +0200
-@@ -58,6 +58,9 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif
+diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
+--- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200
++++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200
+@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
+ freecon(user_ctx);
+ debug3("%s: done", __func__);
+ }
++
++void
++ssh_selinux_change_context(const char *newname)
++{
++ int len, newlen;
++ char *oldctx, *newctx, *cx;
++
++ if (!ssh_selinux_enabled())
++ return;
++
++ if (getcon((security_context_t *)&oldctx) < 0) {
++ logit("%s: getcon failed with %s", __func__, strerror (errno));
++ return;
++ }
++ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) {
++ logit ("%s: unparseable context %s", __func__, oldctx);
++ return;
++ }
++
++ newlen = strlen(oldctx) + strlen(newname) + 1;
++ newctx = xmalloc(newlen);
++ len = cx - oldctx + 1;
++ memcpy(newctx, oldctx, len);
++ strlcpy(newctx + len, newname, newlen - len);
++ if ((cx = index(cx + 1, ':')))
++ strlcat(newctx, cx, newlen);
++ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx);
++ if (setcon(newctx) < 0)
++ logit("%s: setcon failed with %s", __func__, strerror (errno));
++ xfree(oldctx);
++ xfree(newctx);
++}
+ #endif /* WITH_SELINUX */
+diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
+--- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
++++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200
+@@ -23,6 +23,7 @@
+ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
++void ssh_selinux_change_context(const char *);
+ #endif
- #include "openbsd-compat/sys-queue.h"
- #include "xmalloc.h"
-@@ -101,6 +104,9 @@
- c[sizeof(INTERNAL_SFTP_NAME) - 1] == ' ' || \
- c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\t'))
-
-+#ifdef WITH_SELINUX
-+#define SFTPD_T "sftpd_t"
-+#endif
- /* func */
-
- Session *session_new(void);
-@@ -1789,6 +1795,10 @@ do_child(Session *s, const char *command
- extern int optind, optreset;
- int i;
- char *p, *args;
-+#ifdef WITH_SELINUX
-+ int L1, L2;
-+ char *c1, *c2, *cx;
-+#endif
-
- setproctitle("%s at internal-sftp-server", s->pw->pw_name);
- args = xstrdup(command ? command : "sftp-server");
-@@ -1798,6 +1808,32 @@ do_child(Session *s, const char *command
+ #endif /* ! _PORT_LINUX_H */
+diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
+--- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200
++++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200
+@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
+#ifdef WITH_SELINUX
-+ if (getcon ((security_context_t *) &c1) < 0) {
-+ logit("do_child: getcon failed with %s", strerror (errno));
-+ } else {
-+ L1 = strlen (c1) + sizeof (SFTPD_T);
-+ c2 = xmalloc (L1);
-+ if (!(cx = index (c1, ':')))
-+ goto badcontext;
-+ if (!(cx = index (cx + 1, ':'))) {
-+badcontext:
-+ logit ("do_child: unparseable context %s", c1);
-+ } else {
-+ L2 = cx - c1 + 1;
-+ memcpy (c2, c1, L2);
-+ strlcpy (c2 + L2, SFTPD_T, L1);
-+ if ((cx = index (cx + 1, ':')))
-+ strlcat (c2, cx, L1);
-+ if (setcon (c2) < 0)
-+ logit("do_child: setcon failed with %s", strerror (errno));
-+
-+ }
-+ xfree (c1);
-+ xfree (c2);
-+ }
++ ssh_selinux_change_context("sftpd_t");
+#endif
-+
exit(sftp_server_main(i, argv, s->pw));
}
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.159
retrieving revision 1.160
diff -u -p -r1.159 -r1.160
--- openssh.spec 28 Aug 2009 22:43:53 -0000 1.159
+++ openssh.spec 31 Aug 2009 12:38:20 -0000 1.160
@@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
-Release: 20%{?dist}%{?rescue_rel}
+Release: 21%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -468,6 +468,10 @@ fi
%endif
%changelog
+* Mon Auc 31 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-21
+- rearange selinux patch to be acceptable for upstream
+- replace seftp patch by an upstream version
+
* Fri Aug 28 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-20
- merged xmodifiers to redhat patch
- merged gssapi-role to selinux patch
- Previous message (by thread): rpms/parted/devel parted-1.9.0-commit-without-close.patch, NONE, 1.1 parted-1.9.0-dont-touch-part-nodes.patch, NONE, 1.1 parted-1.9.0-no-BLKPG.patch, NONE, 1.1 parted.spec, 1.147, 1.148
- Next message (by thread): rpms/openssh/devel openssh.spec,1.160,1.161
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list