- pass the connection socket to ssh-keysign (#447680)

Mon May 19 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-2
- add LANGUAGE to accepted/sent environment variables (#443231)
- use pam_selinux to obtain the user context instead of doing it itself
- unbreak server keep alive settings (patch from upstream)
- small addition to scp manpage

openssh-3.9p1-scp-manpage.patch

@@ -0,0 +1,17 @@
+--- scp.orig	2007-12-22 20:37:27.000000000 +0100
++++ scp.1	2007-12-22 20:36:42.000000000 +0100
+@@ -60,6 +60,14 @@
+ that the file is to be copied to/from that host.
+ Copies between two remote hosts are permitted.
+ .Pp
++When copying a source file to a target file which already exists,
++.Nm 
++will replace the contents of the target file (keeping the inode).
++.Pp
++If the target file does not yet exist, an empty file with the target
++file name is created, then filled with the source file contents.
++No attempt is made at "near-atomic" transfer using temporary files.
++.Pp
+ The options are as follows:
+ .Bl -tag -width Ds
+ .It Fl 1

openssh-4.7p1-cloexec.patch

@@ -1,6 +1,25 @@
+diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c
+--- openssh-4.7p1/sshconnect2.c.cloexec	2008-03-06 15:58:03.000000000 +0100
++++ openssh-4.7p1/sshconnect2.c	2008-05-21 09:27:06.000000000 +0200
+@@ -38,6 +38,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ 
+@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
+ 		return -1;
+ 	}
+ 	if (pid == 0) {
++		fcntl(packet_get_connection_in(), F_SETFD, 0); /* keep the socket on exec */
+ 		permanently_drop_suid(getuid());
+ 		close(from[0]);
+ 		if (dup2(from[1], STDOUT_FILENO) < 0)
 diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c
 --- openssh-4.7p1/sshconnect.c.cloexec	2006-10-23 19:02:24.000000000 +0200
-+++ openssh-4.7p1/sshconnect.c	2008-02-05 23:14:28.000000000 +0100
++++ openssh-4.7p1/sshconnect.c	2008-03-06 15:58:03.000000000 +0100
 @@ -38,6 +38,7 @@
  #include <stdlib.h>
  #include <string.h>

openssh-4.7p1-redhat.patch

@@ -40,7 +40,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
 +# Accept locale-related environment variables
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
-+AcceptEnv LC_IDENTIFICATION LC_ALL
++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  #AllowTcpForwarding yes
  #GatewayPorts no
  #X11Forwarding no
@@ -64,7 +64,7 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
 +# Send locale-related environment variables
 +	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
-+	SendEnv LC_IDENTIFICATION LC_ALL
++	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
 --- openssh-4.7p1/sshd_config.0.redhat	2007-09-04 08:50:11.000000000 +0200
 +++ openssh-4.7p1/sshd_config.0	2007-09-06 16:21:49.000000000 +0200

openssh-5.0p1-pam_selinux.patch

@@ -0,0 +1,156 @@
+diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h
+--- openssh-5.0p1/auth-pam.h.pam_selinux	2004-09-11 14:17:26.000000000 +0200
++++ openssh-5.0p1/auth-pam.h	2008-04-30 14:25:28.000000000 +0200
+@@ -38,7 +38,7 @@ void do_pam_session(void);
+ void do_pam_set_tty(const char *);
+ void do_pam_setcred(int );
+ void do_pam_chauthtok(void);
+-int do_pam_putenv(char *, char *);
++int do_pam_putenv(char *, const char *);
+ char ** fetch_pam_environment(void);
+ char ** fetch_pam_child_environment(void);
+ void free_pam_environment(char **);
+diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
+--- openssh-5.0p1/auth-pam.c.pam_selinux	2008-03-11 12:58:25.000000000 +0100
++++ openssh-5.0p1/auth-pam.c	2008-04-30 14:25:21.000000000 +0200
+@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
+  * during the ssh authentication process.
+  */
+ int
+-do_pam_putenv(char *name, char *value)
++do_pam_putenv(char *name, const char *value)
+ {
+ 	int ret = 1;
+ #ifdef HAVE_PAM_PUTENV
+diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c
+--- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux	2008-04-07 22:01:37.000000000 +0200
++++ openssh-5.0p1/openbsd-compat/port-linux.c	2008-04-30 14:26:17.000000000 +0200
+@@ -34,6 +34,7 @@
+ #include "hostfile.h"
+ #include "auth.h"
+ #include "xmalloc.h"
++#include "servconf.h"
+ 
+ #include <selinux/selinux.h>
+ #include <selinux/flask.h>
+@@ -47,6 +48,7 @@
+ #include <unistd.h>
+ #endif
+ 
++extern ServerOptions options;
+ extern Authctxt *the_authctxt;
+ extern int inetd_flag;
+ extern int rexeced_flag;
+@@ -208,29 +210,38 @@ get_user_context(const char *sename, con
+         return -1;
+ }
+ 
++static void
++ssh_selinux_get_role_level(char **role, const char **level)
++{
++	*role = NULL;
++	*level = NULL;
++	if (the_authctxt) {
++		if (the_authctxt->role != NULL) {
++			char *slash;
++			*role = xstrdup(the_authctxt->role);
++			if ((slash = strchr(*role, '/')) != NULL) {
++				*slash = '\0';
++				*level = slash + 1;
++			}
++		}
++	}
++}
++
+ /* Return the default security context for the given username */
+ static int
+ ssh_selinux_getctxbyname(char *pwname,
+ 	security_context_t *default_sc, security_context_t *user_sc)
+ {
+ 	char *sename, *lvl;
+-	const char *reqlvl = NULL;
+-	char *role = NULL;
++	const char *reqlvl;
++	char *role;
+ 	int r = -1;
+ 	context_t con = NULL;
+ 
+ 	*default_sc = NULL;
+ 	*user_sc = NULL;
+-	if (the_authctxt) {
+-		if (the_authctxt->role != NULL) {
+-			char *slash;
+-			role = xstrdup(the_authctxt->role);
+-			if ((slash = strchr(role, '/')) != NULL) {
+-				*slash = '\0';
+-				reqlvl = slash + 1;
+-			}
+-		}
+-	}
++
++	ssh_selinux_get_role_level(&role, &reqlvl);
+ 
+ #ifdef HAVE_GETSEUSERBYNAME
+ 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname,
+ 	return (r);
+ }
+ 
++/* Setup environment variables for pam_selinux */
++static int
++ssh_selinux_setup_pam_variables(void)
++{
++	const char *reqlvl;
++	char *role;
++	char *use_current;
++	int rv;
++
++	debug3("%s: setting execution context", __func__);
++
++	ssh_selinux_get_role_level(&role, &reqlvl);
++
++	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
++	
++	if (inetd_flag && !rexeced_flag) {
++		use_current = "1";
++	} else {
++		use_current = "";
++		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
++	}
++
++	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
++
++	if (role != NULL)
++		xfree(role);
++	
++	return rv;
++}
++
+ /* Set the execution context to the default for the specified user */
+ void
+ ssh_selinux_setup_exec_context(char *pwname)
+@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn
+ 	if (!ssh_selinux_enabled())
+ 		return;
+ 
++	if (options.use_pam) {
++		/* do not compute context, just setup environment for pam_selinux */
++		if (ssh_selinux_setup_pam_variables()) {
++			switch (security_getenforce()) {
++			case -1:
++				fatal("%s: security_getenforce() failed", __func__);
++			case 0:
++				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
++				    __func__);
++			break;
++			default:
++				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
++				    __func__);
++			}
++		}
++		return;
++	}
++
+ 	debug3("%s: setting execution context", __func__);
+ 
+ 	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);

openssh-5.0p1-unbreakalive.patch

@@ -0,0 +1,20 @@
+Index: packet.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/packet.c,v
+retrieving revision 1.152
+diff -u -p packet.c
+--- packet.c	8 May 2008 06:59:01 -0000
++++ packet.c	19 May 2008 04:00:34 -0000
+@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_
+ 	for (;;) {
+ 		if (compat20) {
+ 			type = packet_read_poll2(seqnr_p);
+-			keep_alive_timeouts = 0;
+-			if (type)
++			if (type) {
++				keep_alive_timeouts = 0;
+ 				DBG(debug("received packet type %d", type));
++			}
+ 			switch (type) {
+ 			case SSH2_MSG_IGNORE:
+ 				debug3("Received SSH2_MSG_IGNORE");

openssh.spec

@@ -63,7 +63,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.0p1
-Release: 1%{?dist}%{?rescue_rel}
+Release: 3%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -96,6 +96,9 @@ Patch54: openssh-4.7p1-gssapi-role.patch
 Patch55: openssh-4.7p1-cloexec.patch
 Patch58: openssh-4.5p1-controlcleanup.patch
 Patch59: openssh-4.7p1-master-race.patch
+Patch60: openssh-5.0p1-pam_selinux.patch
+Patch61: openssh-5.0p1-unbreakalive.patch
+Patch62: openssh-3.9p1-scp-manpage.patch
 
 License: BSD
 Group: Applications/Internet
@@ -156,7 +159,7 @@ Group: System Environment/Daemons
 Requires: openssh = %{version}-%{release}
 Requires(post): chkconfig >= 0.9, /sbin/service
 Requires(pre): /usr/sbin/useradd
-Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so
+Requires: pam >= 1.0.1-3
 
 %package askpass
 Summary: A passphrase dialog for OpenSSH and X
@@ -228,6 +231,9 @@ an X11 passphrase dialog for OpenSSH.
 %patch55 -p1 -b .cloexec
 %patch58 -p1 -b .controlcleanup
 %patch59 -p1 -b .master-race
+%patch60 -p1 -b .pam_selinux
+%patch61 -p0 -b .unbreakalive
+%patch62 -p0 -b .manpage
 
 autoreconf
 
@@ -478,6 +484,15 @@ fi
 %endif
 
 %changelog
+* Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3
+- pass the connection socket to ssh-keysign (#447680)
+
+* Mon May 19 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-2
+- add LANGUAGE to accepted/sent environment variables (#443231)
+- use pam_selinux to obtain the user context instead of doing it itself
+- unbreak server keep alive settings (patch from upstream)
+- small addition to scp manpage
+
 * Mon Apr  7 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-1
 - upgrade to new upstream (#441066)
 - prevent initscript from killing itself on halt with upstart (#438449)

sshd.pam

@@ -3,6 +3,10 @@ auth       include      system-auth
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth
-session    optional     pam_keyinit.so force revoke
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
 session    include      system-auth
 session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    optional     pam_keyinit.so force revoke