rpms/openssh/devel openssh-5.2p1-homechroot.patch, NONE, 1.1 openssh-5.1p1-log-in-chroot.patch, 1.1, 1.2 openssh.spec, 1.139, 1.140

Fri Apr 3 12:37:30 UTC 2009

Author: jfch2222

Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15231

Modified Files:
	openssh-5.1p1-log-in-chroot.patch openssh.spec 
Added Files:
	openssh-5.2p1-homechroot.patch 
Log Message:
- fix logging after chroot
- enable non root users to use chroot %h in internal-sftp


openssh-5.2p1-homechroot.patch:

--- NEW FILE openssh-5.2p1-homechroot.patch ---
--- openssh-5.2p1/session.c	2009-03-20 18:08:11.263662384 +0100
+++ openssh-5.2p1/session.c	2009-03-20 18:26:29.925498409 +0100
@@ -1408,6 +1408,7 @@
 	const char *cp;
 	char component[MAXPATHLEN];
 	struct stat st;
+	int last;
 
 	if (*path != '/')
 		fatal("chroot path does not begin at root");
@@ -1419,7 +1420,7 @@
 	 * root-owned directory with strict permissions.
 	 */
 	for (cp = path; cp != NULL;) {
-		if ((cp = strchr(cp, '/')) == NULL)
+		if (((last = ((cp = strchr(cp, '/')) == NULL))))
 			strlcpy(component, path, sizeof(component));
 		else {
 			cp++;
@@ -1432,7 +1433,7 @@
 		if (stat(component, &st) != 0)
 			fatal("%s: stat(\"%s\"): %s", __func__,
 			    component, strerror(errno));
-		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
+		if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
 			fatal("bad ownership or modes for chroot "
 			    "directory %s\"%s\"", 
 			    cp == NULL ? "" : "component ", component);

openssh-5.1p1-log-in-chroot.patch:

Index: openssh-5.1p1-log-in-chroot.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.1p1-log-in-chroot.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssh-5.1p1-log-in-chroot.patch	23 Jul 2008 14:47:19 -0000	1.1
+++ openssh-5.1p1-log-in-chroot.patch	3 Apr 2009 12:37:30 -0000	1.2
@@ -15,15 +15,32 @@
 diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
 --- openssh-5.1p1/log.c.log-chroot	2008-06-10 15:01:51.000000000 +0200
 +++ openssh-5.1p1/log.c	2008-07-23 15:18:52.000000000 +0200
-@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
+@@ -45,6 +45,7 @@
+ #include <syslog.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <fcntl.h>
+ #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+ # include <vis.h>
+ #endif
+@@ -56,6 +57,7 @@
  static int log_on_stderr = 1;
  static int log_facility = LOG_AUTH;
  static char *argv0;
-+static int log_fd_keep;
++int log_fd_keep = 0;
  
  extern char *__progname;
  
-@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, 
+@@ -310,6 +312,8 @@
+ 		exit(1);
+ 	}
+ 
++	if (log_fd_keep != 0)
++		return;
+ 	/*
+ 	 * If an external library (eg libwrap) attempts to use syslog
+ 	 * immediately after reexec, syslog may be pointing to the wrong
+@@ -392,10 +396,33 @@
  		syslog_r(pri, &sdata, "%.500s", fmtbuf);
  		closelog_r(&sdata);
  #else
@@ -42,16 +59,58 @@
 +void
 +open_log(void)
 +{
++	int temp1, temp2;
++
++	temp1 = open("/dev/null", O_RDONLY);
 +	openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
-+	log_fd_keep = 1;
++	temp2 = open("/dev/null", O_RDONLY);
++	if (temp1 + 2 ==  temp2)
++		log_fd_keep = temp1 + 1;
++	else 
++		log_fd_keep = -1;
++
++	if (temp1 != -1)
++		close(temp1);
++	if (temp2 != -1)
++		close(temp2);
 +}
 diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h
 --- openssh-5.1p1/log.h.log-chroot	2008-06-13 02:22:54.000000000 +0200
 +++ openssh-5.1p1/log.h	2008-07-23 15:20:11.000000000 +0200
-@@ -66,4 +66,6 @@ void     debug3(const char *, ...) __att
+@@ -46,6 +46,9 @@
+ 	SYSLOG_LEVEL_NOT_SET = -1
+ }       LogLevel;
+ 
++
++extern int log_fd_keep;
++
+ void     log_init(char *, LogLevel, SyslogFacility, int);
+ 
+ SyslogFacility	log_facility_number(char *);
+@@ -66,4 +69,6 @@
  
  void	 do_log(LogLevel, const char *, va_list);
  void	 cleanup_exit(int) __attribute__((noreturn));
 +
 +void     open_log(void);
  #endif
+--- openssh-5.2p1/session.c.	2009-03-20 18:32:01.004151364 +0100
++++ openssh-5.2p1/session.c	2009-03-20 19:00:28.328742384 +0100
+@@ -1445,6 +1456,7 @@
+ 	if (chdir(path) == -1)
+ 		fatal("Unable to chdir to chroot path \"%s\": "
+ 		    "%s", path, strerror(errno));
++	open_log ();
+ 	if (chroot(path) == -1)
+ 		fatal("chroot(\"%s\"): %s", path, strerror(errno));
+ 	if (chdir("/") == -1)
+@@ -1632,7 +1644,8 @@
+ 	 * descriptors open.
+ 	 */
+ 	for (i = 3; i < 64; i++)
+-		close(i);
++		if (i != log_fd_keep)
++			close(i);
+ }
+ 
+ /*


Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.139
retrieving revision 1.140
diff -u -r1.139 -r1.140
--- openssh.spec	13 Mar 2009 10:32:52 -0000	1.139
+++ openssh.spec	3 Apr 2009 12:37:30 -0000	1.140
@@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.2p1
-Release: 2%{?dist}%{?rescue_rel}
+Release: 3%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -97,6 +97,7 @@
 Patch55: openssh-5.1p1-cloexec.patch
 Patch62: openssh-5.1p1-scp-manpage.patch
 Patch65: openssh-5.2p1-fips.patch
+Patch66: openssh-5.2p1-homechroot.patch
 
 License: BSD
 Group: Applications/Internet
@@ -228,6 +229,7 @@
 %patch55 -p1 -b .cloexec
 %patch62 -p1 -b .manpage
 %patch65 -p1 -b .fips
+%patch66 -p1 -b .homechroot
 
 autoreconf
 
@@ -472,6 +474,10 @@
 %endif
 
 %changelog
+* Fri Apr  3 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-3
+- fix logging after chroot
+- enable non root users to use chroot %h in internal-sftp
+
 * Fri Mar 13 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-2
 - add AES-CTR ciphers to the FIPS mode proposal
 


