pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/openssh
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jul 1 09:19:40 UTC 2024
Modified Files:
pkgsrc/security/openssh: Makefile PLIST distinfo
pkgsrc/security/openssh/patches: patch-Makefile.in patch-clientloop.c
patch-configure.ac patch-defines.h patch-sandbox-darwin.c
Added Files:
pkgsrc/security/openssh/patches: patch-sshd-session.c
Removed Files:
pkgsrc/security/openssh/patches: patch-config.h.in patch-loginrec.c
patch-openbsd-compat_openbsd-compat.h
patch-openbsd-compat_port-net.c patch-sshd.8 patch-sshd.c
Log Message:
openssh: update to 9.8p1.
pkgsrc changes:
Remove outdated or undocumented patches.
Remove Interix support.
Remove tcp_wrappers support - does not apply cleanly to this
version and arguable, if we even should have such a big patch for openssh in pkgsrc.
Updated Apple patches from macPorts.
Upstream Changes:
Security
========
This release contains fixes for two security problems, one critical
and one minor.
1) Race condition in sshd(8)
A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code
execution with root privileges.
Successful exploitation has been demonstrated on 32-bit Linux/glibc
systems with ASLR. Under lab conditions, the attack requires on
average 6-8 hours of continuous connections up to the maximum the
server will accept. Exploitation on 64-bit systems is believed to be
possible but has not been demonstrated at this time. It's likely that
these attacks will be improved upon.
Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
OpenBSD is not vulnerable.
We thank the Qualys Security Advisory Team for discovering, reporting
and demonstrating exploitability of this problem, and for providing
detailed feedback on additional mitigation measures.
2) Logic error in ssh(1) ObscureKeystrokeTiming
In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an
OpenSSH server version 9.5 or later, a logic error in the ssh(1)
ObscureKeystrokeTiming feature (on by default) rendered this feature
ineffective - a passive observer could still detect which network
packets contained real keystrokes when the countermeasure was active
because both fake and real keystroke packets were being sent
unconditionally.
This bug was found by Philippos Giavridis and also independently by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the
University of Cambridge Computer Lab.
Worse, the unconditional sending of both fake and real keystroke
packets broke another long-standing timing attack mitigation. Since
OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for
traffic received on TTYs in echo-off mode, such as when entering a
password into su(8) or sudo(8). This bug rendered these fake
keystroke echoes ineffective and could allow a passive observer of
a SSH session to once again detect when echo was off and obtain
fairly limited timing information about keystrokes in this situation
(20ms granularity by default).
This additional implication of the bug was identified by Jacky Wei
En Kung, Daniel Hugenroth and Alastair Beresford and we thank them
for their detailed analysis.
This bug does not affect connections when ObscureKeystrokeTiming
was disabled or sessions where no TTY was requested.
Potentially-incompatible changes
--------------------------------
* all: as mentioned above, the DSA signature algorithm is now
disabled at compile time.
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
* (portable OpenSSH only) Automatically-generated files, such as
configure, config.h.in, etc will now be checked in to the portable
OpenSSH git release branch (e.g. V_9_8). This should ensure that
the contents of the signed release branch exactly match the
contents of the signed release tarball.
To generate a diff of this commit:
cvs rdiff -u -r1.282 -r1.283 pkgsrc/security/openssh/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/security/openssh/PLIST
cvs rdiff -u -r1.122 -r1.123 pkgsrc/security/openssh/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/security/openssh/patches/patch-Makefile.in
cvs rdiff -u -r1.5 -r1.6 pkgsrc/security/openssh/patches/patch-clientloop.c
cvs rdiff -u -r1.7 -r0 pkgsrc/security/openssh/patches/patch-config.h.in
cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/openssh/patches/patch-configure.ac
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssh/patches/patch-defines.h
cvs rdiff -u -r1.6 -r0 pkgsrc/security/openssh/patches/patch-loginrec.c
cvs rdiff -u -r1.4 -r0 \
pkgsrc/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
cvs rdiff -u -r1.1 -r0 \
pkgsrc/security/openssh/patches/patch-openbsd-compat_port-net.c
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/security/openssh/patches/patch-sandbox-darwin.c
cvs rdiff -u -r0 -r1.1 pkgsrc/security/openssh/patches/patch-sshd-session.c
cvs rdiff -u -r1.2 -r0 pkgsrc/security/openssh/patches/patch-sshd.8
cvs rdiff -u -r1.13 -r0 pkgsrc/security/openssh/patches/patch-sshd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/openssh/Makefile
diff -u pkgsrc/security/openssh/Makefile:1.282 pkgsrc/security/openssh/Makefile:1.283
--- pkgsrc/security/openssh/Makefile:1.282 Tue Jun 25 17:38:40 2024
+++ pkgsrc/security/openssh/Makefile Mon Jul 1 09:19:40 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.282 2024/06/25 17:38:40 wiz Exp $
+# $NetBSD: Makefile,v 1.283 2024/07/01 09:19:40 wiz Exp $
-DISTNAME= openssh-9.7p1
+DISTNAME= openssh-9.8p1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
@@ -48,7 +48,6 @@ GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-mantype=man
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
-CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
@@ -77,12 +76,6 @@ CONFIGURE_ENV+= LD=${CC:Q}
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+= --disable-libutil
. endif
-#
-# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
-# prior version don't have it. So, disable use of strnvis(3) now.
-#
-CONFIGURE_ENV+= ac_cv_func_strnvis=no
-#
# workaround for ./configure problem, pkg/50936
#
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
@@ -144,7 +137,6 @@ SUBST_SED.patch= -e '/channel_input_port
SUBST_VARS.patch= PKG_SYSCONFDIR
.include "../../devel/zlib/buildlink3.mk"
-.include "../../security/tcp_wrappers/buildlink3.mk"
#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
Index: pkgsrc/security/openssh/PLIST
diff -u pkgsrc/security/openssh/PLIST:1.20 pkgsrc/security/openssh/PLIST:1.21
--- pkgsrc/security/openssh/PLIST:1.20 Wed May 27 13:49:27 2020
+++ pkgsrc/security/openssh/PLIST Mon Jul 1 09:19:40 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2020/05/27 13:49:27 sevan Exp $
+@comment $NetBSD: PLIST,v 1.21 2024/07/01 09:19:40 wiz Exp $
bin/scp
bin/sftp
bin/ssh
@@ -10,6 +10,7 @@ libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
libexec/ssh-sk-helper
+libexec/sshd-session
man/man1/scp.1
man/man1/sftp.1
man/man1/ssh-add.1
Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.122 pkgsrc/security/openssh/distinfo:1.123
--- pkgsrc/security/openssh/distinfo:1.122 Tue Jun 25 17:38:40 2024
+++ pkgsrc/security/openssh/distinfo Mon Jul 1 09:19:40 2024
@@ -1,17 +1,12 @@
-$NetBSD: distinfo,v 1.122 2024/06/25 17:38:40 wiz Exp $
+$NetBSD: distinfo,v 1.123 2024/07/01 09:19:40 wiz Exp $
-BLAKE2s (openssh-9.7p1.tar.gz) = cfa9904afcdf9c2b1ff80b4ee1109a2f71bb60daae1669586e4ccb4a10a05f47
-SHA512 (openssh-9.7p1.tar.gz) = 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
-Size (openssh-9.7p1.tar.gz) = 1848766 bytes
-SHA1 (patch-Makefile.in) = 70d6ca9c803b6193d0e340cb0518936a00e57492
-SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
-SHA1 (patch-config.h.in) = 7d1050743da7264763254b57938775c546c3baa5
-SHA1 (patch-configure.ac) = 65507029aa7570bcc1e588d022812e708ef5cd5d
-SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
-SHA1 (patch-loginrec.c) = 76f1e03182cbd18dd9ac0bdfcb6502eec7eb56a9
-SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
-SHA1 (patch-openbsd-compat_port-net.c) = b2a0ce81a52b00f106198d549b5068a5e67092ef
-SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
-SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = 0c5725305cbab3855b52c1a63fe4e987ed14e44e
+BLAKE2s (openssh-9.8p1.tar.gz) = 813dc945583cd4a126388d2b70f8e0aec259c72c5545108bfe7fe9f2d29c17b8
+SHA512 (openssh-9.8p1.tar.gz) = 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
+Size (openssh-9.8p1.tar.gz) = 1910393 bytes
+SHA1 (patch-Makefile.in) = 38df2aa7aaeeaac660763724188852bdb8bdcd24
+SHA1 (patch-clientloop.c) = 6211c64f77e1f5cf687d38e201b97f7a415d3598
+SHA1 (patch-configure.ac) = eb759d065e296a5fdf1e8925308e6e77ea2c60a8
+SHA1 (patch-defines.h) = 5424b1b24f1d4bbd47efa614ee180a45e7b9a54e
+SHA1 (patch-sandbox-darwin.c) = 5ae84525b5bf8232afc2d201868e19ac7e5b2bc8
+SHA1 (patch-sshd-session.c) = 1269a177432e92c8937ee43c0093882207c203c5
SHA1 (patch-sshkey.h) = aaaf622f377e455c49683fcc2ca42576ccd097bb
Index: pkgsrc/security/openssh/patches/patch-Makefile.in
diff -u pkgsrc/security/openssh/patches/patch-Makefile.in:1.7 pkgsrc/security/openssh/patches/patch-Makefile.in:1.8
--- pkgsrc/security/openssh/patches/patch-Makefile.in:1.7 Sun May 15 19:21:56 2022
+++ pkgsrc/security/openssh/patches/patch-Makefile.in Mon Jul 1 09:19:40 2024
@@ -1,8 +1,10 @@
-$NetBSD: patch-Makefile.in,v 1.7 2022/05/15 19:21:56 wiz Exp $
+$NetBSD: patch-Makefile.in,v 1.8 2024/07/01 09:19:40 wiz Exp $
+
+Use askpass provided by pkgsrc.
Removed install-sysconf as we handle that phase through post-install
---- Makefile.in.orig 2022-04-06 00:47:48.000000000 +0000
+--- Makefile.in.orig 2024-07-01 04:36:28.000000000 +0000
+++ Makefile.in
@@ -21,7 +21,7 @@ abs_top_builddir=@abs_top_builddir@
DESTDIR=
@@ -12,8 +14,8 @@ Removed install-sysconf as we handle tha
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
-@@ -382,7 +382,7 @@ distprep: catman-do depend-check
+ SSHD_SESSION=$(libexecdir)/sshd-session
+@@ -389,7 +390,7 @@ distprep: catman-do depend-check
-rm -rf autom4te.cache .depend.bak
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
Index: pkgsrc/security/openssh/patches/patch-clientloop.c
diff -u pkgsrc/security/openssh/patches/patch-clientloop.c:1.5 pkgsrc/security/openssh/patches/patch-clientloop.c:1.6
--- pkgsrc/security/openssh/patches/patch-clientloop.c:1.5 Fri Dec 30 04:43:16 2016
+++ pkgsrc/security/openssh/patches/patch-clientloop.c Mon Jul 1 09:19:40 2024
@@ -1,8 +1,8 @@
-$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+$NetBSD: patch-clientloop.c,v 1.6 2024/07/01 09:19:40 wiz Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
-https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/launchd.patch
--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ clientloop.c
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/
*_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+@@ -331,6 +331,18 @@ client_x11_get_proto(const char *display
}
if (xauth_path != NULL) {
@@ -29,23 +29,8 @@ https://trac.macports.org/browser/trunk/
+ * to determine if an error should be displayed.
+ */
+ char path[PATH_MAX];
-+ struct stat sbuf;
+
-+ strlcpy(path, display, sizeof(path));
-+ if (0 == stat(path, &sbuf)) {
-+ is_path_to_socket = 1;
-+ } else {
-+ char *dot = strrchr(path, '.');
-+ if (dot) {
-+ *dot = '\0';
-+ /* screen = atoi(dot + 1); */
-+ if (0 == stat(path, &sbuf)) {
-+ is_path_to_socket = 1;
-+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
-+ setenv("DISPLAY", path, 1);
-+ }
-+ }
-+ }
++ is_path_to_socket = is_path_to_xsocket(display, path, sizeof(path));
+ }
+#endif /* __APPLE__ */
/*
Index: pkgsrc/security/openssh/patches/patch-configure.ac
diff -u pkgsrc/security/openssh/patches/patch-configure.ac:1.9 pkgsrc/security/openssh/patches/patch-configure.ac:1.10
--- pkgsrc/security/openssh/patches/patch-configure.ac:1.9 Sun May 15 19:21:56 2022
+++ pkgsrc/security/openssh/patches/patch-configure.ac Mon Jul 1 09:19:40 2024
@@ -1,8 +1,8 @@
-$NetBSD: patch-configure.ac,v 1.9 2022/05/15 19:21:56 wiz Exp $
+$NetBSD: patch-configure.ac,v 1.10 2024/07/01 09:19:40 wiz Exp $
---- configure.ac.orig 2022-04-06 00:47:48.000000000 +0000
+--- configure.ac.orig 2024-07-01 04:36:28.000000000 +0000
+++ configure.ac
-@@ -340,6 +340,9 @@ AC_ARG_WITH([rpath],
+@@ -380,6 +380,9 @@ AC_ARG_WITH([rpath],
]
)
@@ -12,78 +12,7 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
-@@ -434,6 +437,7 @@ AC_CHECK_HEADERS([ \
- maillock.h \
- ndir.h \
- net/if_tun.h \
-+ net/tun/if_tun.h \
- netdb.h \
- netgroup.h \
- pam/pam_appl.h \
-@@ -1601,6 +1605,62 @@ else
- AC_MSG_RESULT([no])
- fi
-
-+# Check whether user wants TCP wrappers support
-+TCPW_MSG="no"
-+AC_ARG_WITH([tcp-wrappers],
-+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
-+ [
-+ if test "x$withval" != "xno" ; then
-+ saved_LIBS="$LIBS"
-+ saved_LDFLAGS="$LDFLAGS"
-+ saved_CPPFLAGS="$CPPFLAGS"
-+ if test -n "${withval}" && \
-+ test "x${withval}" != "xyes"; then
-+ if test -d "${withval}/lib"; then
-+ if test -n "${need_dash_r}"; then
-+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-+ else
-+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-+ fi
-+ else
-+ if test -n "${need_dash_r}"; then
-+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-+ else
-+ LDFLAGS="-L${withval} ${LDFLAGS}"
-+ fi
-+ fi
-+ if test -d "${withval}/include"; then
-+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-+ else
-+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
-+ fi
-+ fi
-+ LIBS="-lwrap $LIBS"
-+ AC_MSG_CHECKING([for libwrap])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-+#include <sys/types.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <tcpd.h>
-+int deny_severity = 0, allow_severity = 0;
-+ ]], [[
-+ hosts_access(0);
-+ ]])], [
-+ AC_MSG_RESULT([yes])
-+ AC_DEFINE([LIBWRAP], [1],
-+ [Define if you want
-+ TCP Wrappers support])
-+ SSHDLIBS="$SSHDLIBS -lwrap"
-+ TCPW_MSG="yes"
-+ ], [
-+ AC_MSG_ERROR([*** libwrap missing])
-+
-+ ])
-+ LIBS="$saved_LIBS"
-+ fi
-+ ]
-+)
-+
- # Check whether user wants to use ldns
- LDNS_MSG="no"
- AC_ARG_WITH(ldns,
-@@ -5480,9 +5540,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -5568,9 +5628,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
@@ -103,7 +32,7 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
-@@ -5580,7 +5648,7 @@ echo "OpenSSH has been configured with t
+@@ -5677,7 +5745,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
@@ -112,11 +41,3 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
-@@ -5602,6 +5670,7 @@ echo " PAM support
- echo " OSF SIA support: $SIA_MSG"
- echo " KerberosV support: $KRB5_MSG"
- echo " SELinux support: $SELINUX_MSG"
-+echo " TCP Wrappers support: $TCPW_MSG"
- echo " libedit support: $LIBEDIT_MSG"
- echo " libldns support: $LDNS_MSG"
- echo " Solaris process contract support: $SPC_MSG"
Index: pkgsrc/security/openssh/patches/patch-defines.h
diff -u pkgsrc/security/openssh/patches/patch-defines.h:1.4 pkgsrc/security/openssh/patches/patch-defines.h:1.5
--- pkgsrc/security/openssh/patches/patch-defines.h:1.4 Mon Jan 18 12:53:26 2016
+++ pkgsrc/security/openssh/patches/patch-defines.h Mon Jul 1 09:19:40 2024
@@ -1,25 +1,9 @@
-$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-defines.h,v 1.5 2024/07/01 09:19:40 wiz Exp $
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ defines.h
-@@ -30,6 +30,15 @@
-
- /* Constants */
-
-+#ifdef HAVE_INTERIX
-+/* Interix has a special concept of "administrator". */
-+# define ROOTUID 197108
-+# define ROOTGID 131616
-+#else
-+# define ROOTUID 0
-+# define ROOTGID 0
-+#endif
-+
- #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
- enum
- {
@@ -721,6 +730,24 @@ struct winsize {
# endif
# endif
Index: pkgsrc/security/openssh/patches/patch-sandbox-darwin.c
diff -u pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.2 pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.3
--- pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.2 Mon Jan 18 12:53:26 2016
+++ pkgsrc/security/openssh/patches/patch-sandbox-darwin.c Mon Jul 1 09:19:40 2024
@@ -1,10 +1,11 @@
-$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-sandbox-darwin.c,v 1.3 2024/07/01 09:19:40 wiz Exp $
Support sandbox on newer OSX, from MacPorts.
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
---- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- sandbox-darwin.c.orig 2024-07-01 04:36:28.000000000 +0000
+++ sandbox-darwin.c
-@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+@@ -63,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
struct rlimit rl_zero;
debug3("%s: starting Darwin sandbox", __func__);
Added files:
Index: pkgsrc/security/openssh/patches/patch-sshd-session.c
diff -u /dev/null pkgsrc/security/openssh/patches/patch-sshd-session.c:1.1
--- /dev/null Mon Jul 1 09:19:40 2024
+++ pkgsrc/security/openssh/patches/patch-sshd-session.c Mon Jul 1 09:19:40 2024
@@ -0,0 +1,25 @@
+$NetBSD: patch-sshd-session.c,v 1.1 2024/07/01 09:19:40 wiz Exp $
+
+Apple change based on
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
+
+--- sshd-session.c.orig 2024-07-01 08:27:04.662426784 +0000
++++ sshd-session.c
+@@ -376,10 +383,17 @@ privsep_preauth(struct ssh *ssh)
+ /* Arrange for logging to be sent to the monitor */
+ set_log_handler(mm_log_handler, pmonitor);
+
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++ /* We need to do this before we chroot() so we can read sshd.sb */
++ if (box != NULL)
++ ssh_sandbox_child(box);
++#endif
+ privsep_preauth_child();
+ setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ if (box != NULL)
+ ssh_sandbox_child(box);
++#endif
+
+ return 0;
+ }
Home |
Main Index |
Thread Index |
Old Index