+++ /dev/null
-https://bugzilla.mindrot.org/show_bug.cgi?id=2142
-
---- a/Makefile.in
-+++ a/Makefile.in
-@@ -112,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- sftp-server.o sftp-common.o \
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-- sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
-+ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
- sandbox-solaris.o
-
- MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
---- a/configure.ac
-+++ a/configure.ac
-@@ -2867,11 +2867,22 @@ else
- fi
- AC_SUBST([SSH_PRIVSEP_USER])
-
-+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
-+ #include <sys/types.h>
-+ #include <seccomp.h>
-+])
-+if test "x$have_libseccomp_filter" = "x1" ; then
-+ AC_CHECK_LIB([seccomp], [seccomp_init],
-+ [LIBS="$LIBS -lseccomp"],
-+ [have_libseccomp_filter=0])
-+fi
-+
- if test "x$have_linux_no_new_privs" = "x1" ; then
- AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
- #include <sys/types.h>
- #include <linux/seccomp.h>
- ])
-+
- fi
- if test "x$have_seccomp_filter" = "x1" ; then
- AC_MSG_CHECKING([kernel for seccomp_filter support])
-@@ -2898,7 +2909,7 @@ fi
- # Decide which sandbox style to use
- sandbox_arg=""
- AC_ARG_WITH([sandbox],
-- [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
-+ [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, libseccomp_filter, systrace, pledge)],
- [
- if test "x$withval" = "xyes" ; then
- sandbox_arg=""
-@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
- AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
- SANDBOX_STYLE="darwin"
- AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
-+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
-+ ( test -z "$sandbox_arg" && \
-+ test "x$have_libseccomp_filter" = "x1" ) ; then
-+ test "x$have_libseccomp_filter" != "x1" && \
-+ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
-+ SANDBOX_STYLE="libseccomp_filter"
-+ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
- elif test "x$sandbox_arg" = "xseccomp_filter" || \
- ( test -z "$sandbox_arg" && \
- test "x$have_seccomp_filter" = "x1" && \
---- a/sandbox-libseccomp-filter.c
-+++ a/sandbox-libseccomp-filter.c
-@@ -0,0 +1,175 @@
-+/*
-+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+#include "includes.h"
-+
-+#ifdef SANDBOX_LIBSECCOMP_FILTER
-+
-+#include <sys/types.h>
-+#include <sys/resource.h>
-+#include <seccomp.h>
-+
-+#include <errno.h>
-+#include <signal.h>
-+#include <stdarg.h>
-+#include <stddef.h> /* for offsetof */
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+
-+#include "log.h"
-+#include "ssh-sandbox.h"
-+#include "xmalloc.h"
-+
-+struct ssh_sandbox {
-+ pid_t child_pid;
-+};
-+
-+struct ssh_sandbox *
-+ssh_sandbox_init(struct monitor *monitor)
-+{
-+ struct ssh_sandbox *box;
-+
-+ /*
-+ * Strictly, we don't need to maintain any state here but we need
-+ * to return non-NULL to satisfy the API.
-+ */
-+ debug3("%s: preparing libseccomp filter sandbox", __func__);
-+ box = xcalloc(1, sizeof(*box));
-+ box->child_pid = 0;
-+
-+ return box;
-+}
-+
-+static int
-+seccomp_add_secondary_archs(scmp_filter_ctx *c)
-+{
-+#if defined(__i386__) || defined(__x86_64__)
-+ int r;
-+ r = seccomp_arch_add(c, SCMP_ARCH_X86);
-+ if (r < 0 && r != -EEXIST)
-+ return r;
-+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
-+ if (r < 0 && r != -EEXIST)
-+ return r;
-+ r = seccomp_arch_add(c, SCMP_ARCH_X32);
-+ if (r < 0 && r != -EEXIST)
-+ return r;
-+#endif
-+ return 0;
-+}
-+
-+struct scmp_action_def {
-+ uint32_t action;
-+ int syscall;
-+};
-+
-+static const struct scmp_action_def preauth_insns[] = {
-+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
-+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
-+#ifdef __NR_time /* not defined on EABI ARM */
-+ {SCMP_ACT_ALLOW, SCMP_SYS(time)},
-+#endif
-+ {SCMP_ACT_ALLOW, SCMP_SYS(read)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(write)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(close)},
-+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
-+ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
-+#endif
-+ {SCMP_ACT_ALLOW, SCMP_SYS(brk)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(poll)},
-+#ifdef __NR__newselect
-+ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
-+#endif
-+ {SCMP_ACT_ALLOW, SCMP_SYS(select)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
-+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
-+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
-+#endif
-+#ifdef __NR_mmap
-+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
-+#endif
-+#ifdef __dietlibc__
-+ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(exit)},
-+#endif
-+ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
-+ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
-+#ifdef __NR_rt_sigprocmask
-+ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
-+#else
-+ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
-+#endif
-+ {0, 0}
-+};
-+
-+
-+void
-+ssh_sandbox_child(struct ssh_sandbox *box)
-+{
-+ scmp_filter_ctx *seccomp;
-+ struct rlimit rl_zero;
-+ const struct scmp_action_def *insn;
-+ int r;
-+
-+ /* Set rlimits for completeness if possible. */
-+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
-+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
-+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
-+ __func__, strerror(errno));
-+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
-+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
-+ __func__, strerror(errno));
-+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
-+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
-+ __func__, strerror(errno));
-+
-+ seccomp = seccomp_init(SCMP_ACT_KILL);
-+ if (!seccomp)
-+ fatal("%s:libseccomp activation failed", __func__);
-+ if (seccomp_add_secondary_archs(seccomp))
-+ fatal("%s:libseccomp secondary arch setup failed", __func__);
-+
-+ for (insn = preauth_insns; insn->action; insn++) {
-+ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
-+ fatal("%s:libseccomp rule failed", __func__);
-+ }
-+
-+ if ((r = seccomp_load(seccomp)) < 0)
-+ fatal("%s:libseccomp unable to load filter %d", __func__, r);
-+
-+ seccomp_release(seccomp);
-+}
-+
-+void
-+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-+{
-+ free(box);
-+ debug3("%s: finished", __func__);
-+}
-+
-+void
-+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-+{
-+ box->child_pid = child_pid;
-+}
-+
-+#endif /* SANDBOX_LIBSECCOMP_FILTER */
* poke the client this often to
--- openssh-7.2p1/session.c.orig 2016-03-05 10:24:44.227756638 +0100
+++ openssh-7.2p1/session.c 2016-03-05 10:24:50.237756386 +0100
-@@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw)
+@@ -1381,6 +1381,10 @@ void
do_setusercontext(struct passwd *pw)
{
- char *chroot_path, *tmp;
+ char uidstr[32], *chroot_path, *tmp;
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
-diff -urpa openssh-7.7p1.orig/auth-krb5.c openssh-7.7p1/auth-krb5.c
---- openssh-7.7p1.orig/auth-krb5.c 2018-04-02 05:38:28.000000000 +0000
-+++ openssh-7.7p1/auth-krb5.c 2018-04-09 14:22:27.146431415 +0000
+diff -urpa openssh-7.8p1.orig/auth-krb5.c openssh-7.8p1/auth-krb5.c
+--- openssh-7.8p1.orig/auth-krb5.c 2018-08-23 05:41:42.000000000 +0000
++++ openssh-7.8p1/auth-krb5.c 2018-08-29 09:55:47.547970289 +0000
@@ -54,6 +54,20 @@
extern ServerOptions options;
authctxt->pw->pw_name)) {
problem = -1;
goto out;
-diff -urpa openssh-7.7p1.orig/gss-serv-krb5.c openssh-7.7p1/gss-serv-krb5.c
---- openssh-7.7p1.orig/gss-serv-krb5.c 2018-04-02 05:38:28.000000000 +0000
-+++ openssh-7.7p1/gss-serv-krb5.c 2018-04-09 14:22:27.146431415 +0000
-@@ -57,6 +57,7 @@ extern ServerOptions options;
+diff -urpa openssh-7.8p1.orig/gss-serv-krb5.c openssh-7.8p1/gss-serv-krb5.c
+--- openssh-7.8p1.orig/gss-serv-krb5.c 2018-08-23 05:41:42.000000000 +0000
++++ openssh-7.8p1/gss-serv-krb5.c 2018-08-29 09:55:47.547970289 +0000
+@@ -56,6 +56,7 @@ extern ServerOptions options;
#endif
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -99,7 +100,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -98,7 +99,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_free_error_message(krb_context, errmsg);
return 0;
}
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
-diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c
---- openssh-7.7p1.orig/servconf.c 2018-04-09 14:19:20.369433518 +0000
-+++ openssh-7.7p1/servconf.c 2018-04-09 14:23:35.581430645 +0000
-@@ -162,6 +162,7 @@ initialize_server_options(ServerOptions
- options->num_accept_env = 0;
+diff -urpa openssh-7.8p1.orig/servconf.c openssh-7.8p1/servconf.c
+--- openssh-7.8p1.orig/servconf.c 2018-08-29 09:49:04.830974823 +0000
++++ openssh-7.8p1/servconf.c 2018-08-29 09:57:22.452969220 +0000
+@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions
options->permit_tun = -1;
options->permitted_opens = NULL;
+ options->permitted_listens = NULL;
+ options->use_kuserok = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->authorized_keys_command = NULL;
-@@ -429,6 +430,8 @@ fill_default_server_options(ServerOption
+@@ -449,6 +450,8 @@ fill_default_server_options(ServerOption
options->num_auth_methods = 0;
}
#ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege "
-@@ -451,7 +454,7 @@ typedef enum {
+@@ -471,7 +474,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
-@@ -535,11 +538,13 @@ static struct {
+@@ -555,11 +558,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1815,6 +1820,10 @@ process_server_config_line(ServerOptions
- *activep = value;
+@@ -1958,6 +1963,10 @@ process_server_config_line(ServerOptions
+ }
break;
+ case sKerberosUseKuserok:
+ intptr = &options->use_kuserok;
+ goto parse_flag;
+
- case sPermitOpen:
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
-@@ -2193,6 +2202,7 @@ copy_set_server_options(ServerOptions *d
+ case sForceCommand:
+ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename,
+@@ -2302,6 +2311,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
M_CP_INTOPT(log_level);
/*
* The bind_mask is a mode_t that may be unsigned, so we can't use
-@@ -2498,6 +2508,7 @@ dump_config(ServerOptions *o)
+@@ -2595,6 +2605,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -urpa openssh-7.7p1.orig/servconf.h openssh-7.7p1/servconf.h
---- openssh-7.7p1.orig/servconf.h 2018-04-09 14:18:20.148434196 +0000
-+++ openssh-7.7p1/servconf.h 2018-04-09 14:22:27.147431415 +0000
-@@ -191,6 +191,7 @@ typedef struct {
- char **permitted_opens;
- u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
+diff -urpa openssh-7.8p1.orig/servconf.h openssh-7.8p1/servconf.h
+--- openssh-7.8p1.orig/servconf.h 2018-08-29 09:49:04.827974823 +0000
++++ openssh-7.8p1/servconf.h 2018-08-29 09:55:47.548970289 +0000
+@@ -190,6 +190,7 @@ typedef struct {
+ char **permitted_listens; /* May also be one of PERMITOPEN_* */
+ u_int num_permitted_listens;
+ int use_kuserok;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -urpa openssh-7.7p1.orig/sshd_config openssh-7.7p1/sshd_config
---- openssh-7.7p1.orig/sshd_config 2018-04-09 14:18:20.149434196 +0000
-+++ openssh-7.7p1/sshd_config 2018-04-09 14:22:27.147431415 +0000
+diff -urpa openssh-7.8p1.orig/sshd_config openssh-7.8p1/sshd_config
+--- openssh-7.8p1.orig/sshd_config 2018-08-29 09:49:04.827974823 +0000
++++ openssh-7.8p1/sshd_config 2018-08-29 09:55:47.548970289 +0000
@@ -68,6 +68,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
-diff -urpa openssh-7.7p1.orig/sshd_config.5 openssh-7.7p1/sshd_config.5
---- openssh-7.7p1.orig/sshd_config.5 2018-04-09 14:18:20.149434196 +0000
-+++ openssh-7.7p1/sshd_config.5 2018-04-09 14:22:27.148431415 +0000
-@@ -856,6 +856,10 @@ Specifies whether to automatically destr
+diff -urpa openssh-7.8p1.orig/sshd_config.5 openssh-7.8p1/sshd_config.5
+--- openssh-7.8p1.orig/sshd_config.5 2018-08-29 09:49:04.828974823 +0000
++++ openssh-7.8p1/sshd_config.5 2018-08-29 09:55:47.549970289 +0000
+@@ -861,6 +861,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Cm yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -1119,6 +1123,7 @@ Available keywords are
+@@ -1124,6 +1128,7 @@ Available keywords are
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm LogLevel ,
+}
+
+/* Ugly hack */
-+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
-+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
++void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
++void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
--- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 7.7p1
-Release: 2
+Version: 7.8p1
+Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 68ba883aff6958297432e5877e9a0fe2
+# Source0-md5: ce1d090fa6239fd38eb989d5e983b074
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Patch13: %{name}-kuserok.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
-Patch16: libseccomp-sandbox.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
%{?with_audit:BuildRequires: audit-libs-devel}
%patch13 -p1
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
-%{?with_libseccomp:%patch16 -p1}
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
--with-privsep-path=%{_privsepdir} \
--with-privsep-user=sshd \
%{?with_selinux:--with-selinux} \
- --with-sandbox=%{sandbox} \
+ --with-sandbox=seccomp_filter \
--with-xauth=%{_bindir}/xauth
echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h
TLD / packages / openssh.git / commitdiff