- enable the subprocess in chroot to send messages to system log

- sshd should prevent login if audit call fails
2006-02-24 14:07:41 +00:00 · 2006-02-24 14:07:41 +00:00 · e01ed66930
parent b5e849f024
commit e01ed66930
2 changed files with 62 additions and 3 deletions
--- a/openssh-3.9p1-log-in-chroot.patch
+++ b/openssh-3.9p1-log-in-chroot.patch
@ -0,0 +1,53 @@
+--- openssh-3.9p1/log.h.log-chroot	2006-02-22 10:54:04.000000000 +0100
+++ openssh-3.9p1/log.h	2006-02-22 10:53:29.000000000 +0100
+@@ -63,4 +63,6 @@
+ 
+ void	 do_log(LogLevel, const char *, va_list);
+ void	 cleanup_exit(int) __dead;
+
+void     open_log(void);
+ #endif
+--- openssh-3.9p1/log.c.log-chroot	2006-02-22 13:29:48.000000000 +0100
+++ openssh-3.9p1/log.c	2006-02-22 10:56:01.000000000 +0100
+@@ -48,6 +48,7 @@
+ static int log_on_stderr = 1;
+ static int log_facility = LOG_AUTH;
+ static char *argv0;
+static int log_fd_keep;
+ 
+ extern char *__progname;
+ 
+@@ -330,9 +331,20 @@
+ 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
+ 		closelog_r(&sdata);
+ #else
+	    if (!log_fd_keep) {
+ 		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+	    }
+ 		syslog(pri, "%.500s", fmtbuf);
+	    if (!log_fd_keep) {
+ 		closelog();
+	    }
+ #endif
+ 	}
+ }
+
+void
+open_log(void)
+{
+	openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
+	log_fd_keep = 1;
+}
+--- openssh-3.9p1/sshd.c.log-chroot	2006-01-11 13:42:32.000000000 +0100
+++ openssh-3.9p1/sshd.c	2006-02-22 18:58:24.000000000 +0100
+@@ -565,6 +565,10 @@
+ 	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+ 	endpwent();
+ 
+	/* Open the syslog permanently so the chrooted process still
+	   can write to syslog. */
+	open_log();
+	
+ 	/* Change our root directory */
+ 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
--- a/openssh.spec
+++ b/openssh.spec
@ -58,7 +58,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
 Name: openssh
 Version: 4.3p2
-%define rel 2
+%define rel 3
 %if %{rescue}
 %define %{rel}rescue
 %else
@ -84,7 +84,8 @@ Patch22: openssh-3.9p1-askpass-keep-above.patch
 Patch23: openssh-3.9p1-no-log-signal.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
 Patch25: openssh-4.3p2-scp-print-err.patch
-Patch27: openssh-4.2p1-pam-no-stack.patch
+Patch26: openssh-4.2p1-pam-no-stack.patch
+Patch27: openssh-3.9p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
 Patch31: openssh-3.9p1-skip-used.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
@ -207,7 +208,8 @@ an X11 passphrase dialog for OpenSSH.
 %patch23 -p1 -b .signal
 %patch24 -p1 -b .fromto-remote
 %patch25 -p1 -b .print-err
-%patch27 -p1 -b .stack
+%patch26 -p1 -b .stack
+%patch27 -p1 -b .log-chroot
 %patch30 -p1 -b .exit-deadlock
 %patch31 -p1 -b .skip-used
 %patch35 -p1 -b .progress
@ -452,6 +454,10 @@ fi
 %endif

 %changelog
+* Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-3
+- enable the subprocess in chroot to send messages to system log
+- sshd should prevent login if audit call fails
+
 * Tue Feb 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-2
 - print error from scp if not remote (patch by Bjorn Augustsson #178923)