From 3d6b00af7e3a4bfb7ff1687d9b1191cba67f8ac1 Mon Sep 17 00:00:00 2001
From: "Jan F. Chadima" <jfch2222@fedoraproject.org>
Date: Fri, 17 Jul 2009 07:06:59 +0000
Subject: [PATCH] changed internal-sftp context to sftpd_t

---
 openssh-5.2p1-pathmax.patch | 37 ++++++++++++++++++++++++++++++++-----
 openssh-5.2p1-selabel.patch | 20 ++++++++++----------
 openssh-5.2p1-sesftp.patch  | 19 +++++++++++++++++++
 openssh.spec                | 12 ++++++++++--
 4 files changed, 71 insertions(+), 17 deletions(-)
 create mode 100644 openssh-5.2p1-sesftp.patch

diff --git a/openssh-5.2p1-pathmax.patch b/openssh-5.2p1-pathmax.patch
index 0b89b1e..5411589 100644
--- a/openssh-5.2p1-pathmax.patch
+++ b/openssh-5.2p1-pathmax.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.2p1/ssh.c.pathmax openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.pathmax	2009-06-29 22:13:17.251360372 +0200
-+++ openssh-5.2p1/ssh.c	2009-06-29 22:14:46.036292525 +0200
+--- openssh-5.2p1/ssh.c.pathmax	2009-07-08 14:23:19.000000000 +0200
++++ openssh-5.2p1/ssh.c	2009-07-08 14:26:26.000000000 +0200
 @@ -49,6 +49,7 @@
  #include <sys/resource.h>
  #include <sys/ioctl.h>
@@ -9,12 +9,39 @@ diff -up openssh-5.2p1/ssh.c.pathmax openssh-5.2p1/ssh.c
  
  #include <ctype.h>
  #include <errno.h>
-@@ -209,7 +210,7 @@ int
+@@ -208,8 +209,8 @@ void muxserver_listen(void);
+ int
  main(int ac, char **av)
  {
- 	int i, opt, exit_status, use_syslog;
+-	int i, opt, exit_status, use_syslog;
 -	char *p, *cp, *line, buf[256];
-+	char *p, *cp, *line, buf[PATH_MAX];
++	int i, r, opt, exit_status, use_syslog;
++	char *p, *cp, *line, buf[MAXPATHLEN];
  	struct stat st;
  	struct passwd *pw;
  	int dummy, timeout_ms;
+@@ -624,9 +625,10 @@ main(int ac, char **av)
+ 			fatal("Can't open user config file %.100s: "
+ 			    "%.100s", config, strerror(errno));
+ 	} else {
+-		snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
++		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
+ 		    _PATH_SSH_USER_CONFFILE);
+-		(void)read_config_file(buf, host, &options, 1);
++		if (r > 0 && (size_t)r < sizeof(buf))
++			(void)read_config_file(buf, host, &options, 1);
+ 
+ 		/* Read systemwide configuration file after use config. */
+ 		(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
+@@ -787,9 +789,9 @@ main(int ac, char **av)
+ 	 * Now that we are back to our own permissions, create ~/.ssh
+ 	 * directory if it doesn't already exist.
+ 	 */
+-	snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
++	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
+ 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
+-	if (stat(buf, &st) < 0)
++	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
+ 		if (mkdir(buf, 0700) < 0)
+ 			error("Could not create directory '%.200s'.", buf);
+ 
diff --git a/openssh-5.2p1-selabel.patch b/openssh-5.2p1-selabel.patch
index a367739..06ccffe 100644
--- a/openssh-5.2p1-selabel.patch
+++ b/openssh-5.2p1-selabel.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-copy-id
---- openssh-5.2p1/contrib/ssh-copy-id.selabel	2009-06-29 23:43:03.514390092 +0200
-+++ openssh-5.2p1/contrib/ssh-copy-id	2009-06-29 23:44:11.188382120 +0200
+--- openssh-5.2p1/contrib/ssh-copy-id.selabel	2009-01-21 10:29:21.000000000 +0100
++++ openssh-5.2p1/contrib/ssh-copy-id	2009-07-08 14:28:27.000000000 +0200
 @@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || 
    exit 1
  fi
@@ -11,8 +11,8 @@ diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-cop
  cat <<EOF
  Now try logging into the machine, with "ssh '$1'", and check in:
 diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.selabel	2009-06-29 23:38:34.224128017 +0200
-+++ openssh-5.2p1/Makefile.in	2009-06-29 23:38:34.332123333 +0200
+--- openssh-5.2p1/Makefile.in.selabel	2009-07-08 14:28:25.000000000 +0200
++++ openssh-5.2p1/Makefile.in	2009-07-08 14:28:27.000000000 +0200
 @@ -134,7 +134,7 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
@@ -23,8 +23,8 @@ diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
  	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
 diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.selabel	2009-06-29 23:38:34.314132116 +0200
-+++ openssh-5.2p1/ssh.c	2009-06-29 23:38:34.335927287 +0200
+--- openssh-5.2p1/ssh.c.selabel	2009-07-08 14:28:27.000000000 +0200
++++ openssh-5.2p1/ssh.c	2009-07-08 14:34:00.000000000 +0200
 @@ -74,6 +74,7 @@
  #include <openssl/err.h>
  #include <openssl/fips.h>
@@ -33,12 +33,12 @@ diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -790,10 +791,15 @@ main(int ac, char **av)
+@@ -791,10 +792,15 @@ main(int ac, char **av)
  	 */
- 	snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
+ 	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
  	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
--	if (stat(buf, &st) < 0)
-+	if (stat(buf, &st) < 0) {
+-	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
++	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
 +		char *scon;
 +
 +		matchpathcon(buf, 0700, &scon);
diff --git a/openssh-5.2p1-sesftp.patch b/openssh-5.2p1-sesftp.patch
new file mode 100644
index 0000000..7d3001b
--- /dev/null
+++ b/openssh-5.2p1-sesftp.patch
@@ -0,0 +1,19 @@
+diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
+--- openssh-5.2p1/session.c.sesftp	2009-07-16 22:34:26.000000000 +0200
++++ openssh-5.2p1/session.c	2009-07-16 22:59:22.000000000 +0200
+@@ -58,6 +58,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <selinux/selinux.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+@@ -1816,6 +1817,7 @@ do_child(Session *s, const char *command
+ 		argv[i] = NULL;
+ 		optind = optreset = 1;
+ 		__progname = argv[0];
++		setcon ("system_u:system_r:sftpd_t");
+ 		exit(sftp_server_main(i, argv, s->pw));
+ 	}
+ 
diff --git a/openssh.spec b/openssh.spec
index 6d12f9a..ce0c4ef 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.2p1
-Release: 12%{?dist}%{?rescue_rel}
+Release: 14%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -101,6 +101,7 @@ Patch66: openssh-5.2p1-homechroot.patch
 Patch67: openssh-5.2p1-xmodifiers.patch
 Patch68: openssh-5.2p1-pathmax.patch
 Patch69: openssh-5.2p1-selabel.patch
+Patch70: openssh-5.2p1-sesftp.patch
 
 License: BSD
 Group: Applications/Internet
@@ -236,6 +237,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch67 -p1 -b .xmodifiers
 %patch68 -p1 -b .pathmax
 %patch69 -p1 -b .selabel
+%patch70 -p1 -b .sesftp
 
 autoreconf
 
@@ -470,7 +472,13 @@ fi
 %endif
 
 %changelog
-* Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11
+* Fri Jul 17 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-14
+- changed internal-sftp context to sftpd_t
+
+* Fri Jul  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-13
+- changed home length path patch to upstream version
+
+* Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-12
 - create '~/.ssh/known_hosts' within proper context
 
 * Mon Jun 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11